LoRexxar's Blog | 信息技术分享

Some Vulnerability for FineCMS through 2017.7.11

2017/07/11

Some Vulnerability for FineCMS through 2017.7.11

CVE ID:

  • CVE-2017-11178
  • CVE-2017-11200
  • CVE-2017-11198
  • CVE-2017-11201
  • CVE-2017-11202

Reflected XSS in get_image.php

Technical Description:

file /application/lib/ajax/get_image.php the $_POST['id'] and $_POST['name'] and $_GET['folder'] without any validated, sanitised or output encoded.

Proof of Concept(PoC)

1
2
3
4
5
http://your_finecms/application/lib/ajax/get_image.php?folder=1

POST:

id=1"><script>alert(1)</script>&name=1

image.png-45.5kB

Arbitrary File Modify

Technical Description:

The base function for modify the template css and script can modify the filename,this leads to the Arbitrary File Modify, who could allow attacker getshell.

file /appalication/core/controller/style.php line50-line53
image.png-56.1kB

follow function save()
file /appalication/core/model/style.php line26-line48
image.png-118.8kB

if file exists, we can modify it whihout any limit.

insterestingly, there are two more Vulnerability for same function in different files.

file /appalication/core/model/script.php line26-line48
image.png-101.7kB

Proof of Concept(PoC)

1
2
3
4
5
6
http://your_finecms/index.php?route=template
http://your_finecms/index.php?route=style
http://your_finecms/index.php?route=script

POST:
contents=<?php phpinfo();?>&filename={any exist filename}&savabutton=Zapisz

image.png-71.9kB

Authenticated SQL injection

all FineCMS use PDO to connect the mysql server, so all the data without any validated, sanitised or output encoded injection database.but in application/core/controller/excludes.php, the website author use mysqli to connect mysql server.the lead SQL injection, who could allow attacker use some payload to get data in database.

Technical Description:

file application/core/controller/excludes.php line75, the visitor_ip insert into database without any validated, sanitised or output encoded.

image.png-114.8kB

file /stat/get_stat_data.php line30

image.png-149.7kB

the sql inject into sql_query and execute.

Proof of Concept(PoC)

1
2
3
4
http://127.0.0.1/finecms/index.php?route=excludes&action=add

POST:
visitor_ip=1%27%2Csleep%281%29%2C%271&save_button=Zapisz

and view http://your_finecms/stat/get_stat_data.php,we can feel website loading sleep.

image.png-138.7kB

Stored XSS in images.php

FineCMS allow admin to upload image into gallery, and it will show image data into pages, but some data will output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting.

Technical Description:

when we upload the file

file application/core/controller/images.php line87

image.png-145.9kB

and follow the function add()
file application/core/model/images.php line78

image.png-381.2kB

if filetype startwith “image”,the filetype will insert into database

when we view the detail of the images
file application/lib/generators/view.php line106, somethings will output into pages.

image.png-264kB

Proof of Concept(PoC)

view the http://your_finecms/index.php?route=images&action=add and upload picture
image.png-105.7kB

modify the picture’s filetype
image.png-96.1kB

view the detail of picture
image.png-63.7kB

image.png-379.4kB

Because of the vulnerability also in edit detail page. so you also can use edit to insert Script code in pages.

http://your_finecms/index.php?route=images&action=edit&id=15
image.png-1782.9kB

view the detail of picture

image.png-75.7kB

Stored XSS in visitors.php

FineCMS stores all the visitors the visit url, but in detail of log they output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting.

Technical Description:

just like last vulnerability.

Proof of Concept(PoC)

visit any page with js script code. such as

1
index.php?route=images&action=view&id=14'"><script>alert(1)</script>

image.png-134.2kB

when the admin view the visitors page

image.png-116.3kB

CATALOG
  1. 1. Reflected XSS in get_image.php
    1. 1.1. Technical Description:
    2. 1.2. Proof of Concept(PoC)
  2. 2. Arbitrary File Modify
    1. 2.1. Technical Description:
    2. 2.2. Proof of Concept(PoC)
  3. 3. Authenticated SQL injection
    1. 3.1. Technical Description:
    2. 3.2. Proof of Concept(PoC)
  4. 4. Stored XSS in images.php
    1. 4.1. Technical Description:
    2. 4.2. Proof of Concept(PoC)
  5. 5. Stored XSS in visitors.php
    1. 5.1. Technical Description:
    2. 5.2. Proof of Concept(PoC)