CMS Web-Gooroo - exploit.company

vendor:

CMS Web-Gooroo

by:

Kaimi

8,8

CVSS

HIGH

SQL Injection, Hardcoded admin user, Full path disclosure, Unrestricted file upload

89, 522, 200, 264

CWE

Product Name: CMS Web-Gooroo

Affected Version From: <=1.141

Affected Version To: <=1.141

Patch Exists: NO

Related CWE: N/A

CPE: a:web-gooroo:cms_web-gooroo

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2017

CMS Web-Gooroo <=1.141 - Multiple Vulnerabilities

SQL Injection vulnerability exists in the file /wbg/core/_includes/authorization.inc.php due to lack of input validation. Hardcoded admin user credentials are present in the same file. Full path disclosure vulnerability exists due to lack of input validation in almost any file. Unrestricted file upload can be done via admin panel as attachment to any publication without any file type checking.

Mitigation:

Input validation should be performed for all user inputs. Hardcoded admin user credentials should be removed. File type checking should be performed for file uploads.

Source

Exploit-DB raw data:

# Exploit Title: CMS Web-Gooroo <=1.141 - Multiple Vulnerabilities
# Date: 01-06-2017
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Vendor Homepage: http://web.archive.org/web/20120510194357/http://www.web-gooroo.com/
# Software Link: https://github.com/andrey-buligin/hanna/tree/master/wbg
# Version: <=1.141
# Category: webapps


1. SQL Injection
File: /wbg/core/_includes/authorization.inc.php
Vulnerable code:
$SQL_query = 'SELECT * FROM wbg_users WHERE (login=\'' . $_POST['wbg_login'] . '\') AND (password=\'' . md5(md5($_POST['wbg_password'])) . '\')';
$USER = mysql_fetch_assoc(mysql_query($SQL_query));


2. Hardcoded admin user
File: /wbg/core/_includes/authorization.inc.php
Vulnerable code:
if ((md5($_POST['wbg_login']) == '2d626704807d4c5be1b46e85c4070fec') && (md5($_POST['wbg_password']) == '2967a371178d713d3898957dd44786af')) {
	$USER = $this->get_megaadmin();
}

2d626704807d4c5be1b46e85c4070fec - mayhem
2967a371178d713d3898957dd44786af - no success in bruteforce, though...

3. Full path disclosure
Almost any file, because of lack of input validation and overall bad design.
CMS log file (besides DB log) location with full path and debug info:
/wbg/tmp/logs/syslog.log.php

4. Unrestricted file upload
Can be done via admin panel as attachment to any publication. No file type checking is performed.