############################################
# Exploit Title : Seditio CMS Multiple Vulnerabilities.
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage: www.seditiocms.com
# Google Dork : intext:Powered by Seditio CMS
# Software Link : http://www.seditiocms.com/datas/users/1/1-10d40e-sed-en.rar
# Date : 2017 18 March
# CVE : N/A
# Tested On : Linux - Chrome
# Category : Web Application
# MY HOME : Ashiyane.org
#
############################################
## Seditio CMS SQL And Xss Vulnerabilities
## Research By Ashiyane Digital Security Team.
## Directory : (include) system/core/page/page.print.inc.php
############################################
# # # # # # # # # # # #
# Vulnerability Code #
# # # # # # # # # # # #
<?PHP
/* ====================
Seditio - Website engine
Copyright Neocrome
http://www.seditiocms.com
[BEGIN_SED]
File=page.print.inc.php
Version=171
Updated=2013-mar-05
Type=Core
Author=Neocrome
Description=Pages
[END_SED]
==================== */
if (!defined('SED_CODE')) { die('Wrong URL.'); }
list($usr['auth_read'], $usr['auth_write'], $usr['isadmin']) = sed_auth('page', 'any');
sed_block($usr['auth_read']);
$id = sed_import('id','G','INT');
$al = sed_import('al','G','ALP');
$r = sed_import('r','G','ALP');
$c = sed_import('c','G','TXT');
$pg = sed_import('pg','G','INT');
/* === Hook === */
$extp = sed_getextplugins('page.first');
if (is_array($extp))
{ foreach($extp as $k => $pl) { include('plugins/'.$pl['pl_code'].'/'.$pl['pl_file'].'.php'); } }
/* ===== */
if (!empty($al))
{ $sql = sed_sql_query("SELECT p.*, u.user_name, u.user_avatar FROM $db_pages AS p
LEFT JOIN $db_users AS u ON u.user_id=p.page_ownerid
WHERE page_alias='$al' LIMIT 1"); }
else
{ $sql = sed_sql_query("SELECT p.*, u.user_name, u.user_avatar FROM $db_pages AS p
LEFT JOIN $db_users AS u ON u.user_id=p.page_ownerid
WHERE page_id='$id'"); }
sed_die(sed_sql_numrows($sql)==0);
$pag = sed_sql_fetcharray($sql);
$pag['page_date'] = @date($cfg['dateformat'], $pag['page_date'] + $usr['timezone'] * 3600);
$pag['page_begin'] = @date($cfg['dateformat'], $pag['page_begin'] + $usr['timezone'] * 3600);
$pag['page_expire'] = @date($cfg['dateformat'], $pag['page_expire'] + $usr['timezone'] * 3600);
$pag['page_tab'] = (empty($pg)) ? 1 : $pg;
$pag['page_pageurl'] = (empty($pag['page_alias'])) ? "page.php?id=".$pag['page_id'] : "page.php?al=".$pag['page_alias'];
$catpath = sed_build_catpath($pag['page_cat'], "<a href=\"list.php?c=%1\$s\">%2\$s</a>");
$pag['page_fulltitle'] = $catpath." ".$cfg['separator']." <a href=\"".$pag['page_pageurl']."\">".$pag['page_title']."</a>";
$pag['page_fulltitle'] .= ($pag['page_totaltabs']>1 && !empty($pag['page_tabtitle'][$pag['page_tab']-1])) ? " (".$pag['page_tabtitle'][$pag['page_tab']-1].")" : '';
$item_code = 'p'.$pag['page_id'];
list($comments_link, $comments_display, $comments_count) = sed_build_comments($item_code, $pag['page_pageurl'], $comments);
$sys['sublocation'] = $sed_cat[$c]['title'];
$out['subtitle'] = $pag['page_title'];
/* === Hook === */
$extp = sed_getextplugins('page.main');
if (is_array($extp))
{ foreach($extp as $k => $pl) { include('plugins/'.$pl['pl_code'].'/'.$pl['pl_file'].'.php'); } }
/* ===== */
$t = new XTemplate("skins/".$skin."/page.print.tpl");
$t->assign(array(
"PAGE_ID" => $pag['page_id'],
"PAGE_STATE" => $pag['page_state'],
"PAGE_EXECUTE" => $pag['page_execute'],
"PAGE_TITLE" => $pag['page_fulltitle'],
"PAGE_TITLEURL" => $cfg['mainurl']."/page.php?id=".$id,
"PAGE_SHORTTITLE" => $pag['page_title'],
"PAGE_CAT" => $pag['page_cat'],
"PAGE_CATTITLE" => $sed_cat[$pag['page_cat']]['title'],
"PAGE_CATPATH" => $catpath,
"PAGE_CATDESC" => $sed_cat[$pag['page_cat']]['desc'],
"PAGE_CATICON" => $sed_cat[$pag['page_cat']]['icon'],
"PAGE_KEY" => $pag['page_key'],
"PAGE_EXTRA1" => $pag['page_extra1'],
"PAGE_EXTRA2" => $pag['page_extra2'],
"PAGE_EXTRA3" => $pag['page_extra3'],
"PAGE_EXTRA4" => $pag['page_extra4'],
"PAGE_EXTRA5" => $pag['page_extra5'],
"PAGE_DESC" => $pag['page_desc'],
"PAGE_AUTHOR" => $pag['page_author'],
"PAGE_OWNER" => sed_build_user($pag['page_ownerid'], sed_cc($pag['user_name'])),
"PAGE_AVATAR" => sed_build_userimage($pag['user_avatar']),
"PAGE_DATE" => $pag['page_date'],
"PAGE_BEGIN" => $pag['page_begin'],
"PAGE_EXPIRE" => $pag['page_expire'],
"PAGE_COMMENTS" => $comments_link,
));
if($pag['page_totaltabs']>1)
{
$t->assign(array(
"PAGE_MULTI_TABNAV" => $pag['page_tabnav'],
"PAGE_MULTI_TABTITLES" => $pag['page_tabtitles'],
"PAGE_MULTI_CURTAB" => $pag['page_tab'],
"PAGE_MULTI_MAXTAB" => $pag['page_totaltabs']
));
$t->parse("MAIN.PAGE_MULTI");
}
if ($usr['isadmin'])
{
$t-> assign(array(
"PAGE_ADMIN_COUNT" => $pag['page_count'],
"PAGE_ADMIN_UNVALIDATE" => "<a href=\"admin.php?m=page&s=queue&a=unvalidate&id=".$pag['page_id']."&".sed_xg()."\">".$L['Putinvalidationqueue']."</a>",
"PAGE_ADMIN_EDIT" => "<a href=\"page.php?m=edit&id=".$pag['page_id']."&r=list\">".$L['Edit']."</a>"
));
$t->parse("MAIN.PAGE_ADMIN");
}
switch($pag['page_type'])
{
case '1':
$t->assign("PAGE_TEXT", $pag['page_text']);
break;
case '2':
if ($cfg['allowphp_pages'] && $cfg['allowphp_override'])
{
ob_start();
eval($pag['page_text']);
$t->assign("PAGE_TEXT", ob_get_clean());
}
else
{
$t->assign("PAGE_TEXT", "The PHP mode is disabled for pages.<br />Please see the administration panel, then \"Configuration\", then \"Parsers\".");
}
break;
default:
$t->assign("PAGE_TEXT",sed_parse(sed_cc($pag['page_text']), $cfg['parsebbcodepages'], $cfg['parsesmiliespages'], 1));
break;
}
if($pag['page_file'])
{
if (!empty($pag['page_url']))
{
$dotpos = strrpos($pag['page_url'],".")+1;
$pag['page_fileicon'] = "system/img/pfs/".strtolower(substr($pag['page_url'], $dotpos, 5)).".gif";
if (!file_exists($pag['page_fileicon']))
{ $pag['page_fileicon'] = "system/img/admin/page.gif"; }
$pag['page_fileicon'] = "<img src=\"".$pag['page_fileicon']."\" alt=\"\">";
}
else
{ $pag['page_fileicon'] = ''; }
$t->assign(array(
"PAGE_FILE_URL" => "page.php?id=".$pag['page_id']."&a=dl",
"PAGE_FILE_SIZE" => $pag['page_size'],
"PAGE_FILE_COUNT" => $pag['page_filecount'],
"PAGE_FILE_ICON" => $pag['page_fileicon']
));
$t->parse("MAIN.PAGE_FILE");
}
$t->assign(array (
"HEADER_TITLE" => $cfg['maintitle']." ".$cfg['separator']." ".$pag['page_title']." :: ".$L['plu_title'],
));
$t->parse("MAIN");
$t->out("MAIN");
?>
################################################
# Discovered By : Hassan Shakeri
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir
#######################################################
