Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017030160

Below is a copy:

Seditio CMS Multiple Vulnerabilities.############################################
# Exploit Title  : Seditio CMS Multiple Vulnerabilities.
# Exploit Author : Ashiyane Digital Security Team 
# Vendor Homepage: www.seditiocms.com
# Google Dork    : intext:Powered by Seditio CMS
# Software Link  : http://www.seditiocms.com/datas/users/1/1-10d40e-sed-en.rar
# Date           : 2017 18 March
# CVE            : N/A
# Tested On      : Linux - Chrome
# Category       : Web Application
# MY HOME        : Ashiyane.org 
# 
############################################
## Seditio CMS SQL And Xss Vulnerabilities 
## Research By Ashiyane Digital Security Team.
## Directory : (include) system/core/page/page.print.inc.php   
############################################

                                # # # # # # # # # # # #
                                # Vulnerability Code  #
                                # # # # # # # # # # # #

<?PHP

/* ====================
Seditio - Website engine
Copyright Neocrome
http://www.seditiocms.com
[BEGIN_SED]
File=page.print.inc.php
Version=171
Updated=2013-mar-05
Type=Core
Author=Neocrome
Description=Pages
[END_SED]
==================== */

if (!defined('SED_CODE')) { die('Wrong URL.'); }

list($usr['auth_read'], $usr['auth_write'], $usr['isadmin']) = sed_auth('page', 'any');
sed_block($usr['auth_read']);

$id = sed_import('id','G','INT');
$al = sed_import('al','G','ALP');
$r = sed_import('r','G','ALP');
$c = sed_import('c','G','TXT');
$pg = sed_import('pg','G','INT');

/* === Hook === */
$extp = sed_getextplugins('page.first');
if (is_array($extp))
{ foreach($extp as $k => $pl) { include('plugins/'.$pl['pl_code'].'/'.$pl['pl_file'].'.php'); } }
/* ===== */

if (!empty($al))
{ $sql = sed_sql_query("SELECT p.*, u.user_name, u.user_avatar FROM $db_pages AS p
LEFT JOIN $db_users AS u ON u.user_id=p.page_ownerid
WHERE page_alias='$al' LIMIT 1"); }
else
{ $sql = sed_sql_query("SELECT p.*, u.user_name, u.user_avatar FROM $db_pages AS p
LEFT JOIN $db_users AS u ON u.user_id=p.page_ownerid
WHERE page_id='$id'"); }

sed_die(sed_sql_numrows($sql)==0);
$pag = sed_sql_fetcharray($sql);

$pag['page_date'] = @date($cfg['dateformat'], $pag['page_date'] + $usr['timezone'] * 3600);
$pag['page_begin'] = @date($cfg['dateformat'], $pag['page_begin'] + $usr['timezone'] * 3600);
$pag['page_expire'] = @date($cfg['dateformat'], $pag['page_expire'] + $usr['timezone'] * 3600);
$pag['page_tab'] = (empty($pg)) ? 1 : $pg;
$pag['page_pageurl'] = (empty($pag['page_alias'])) ? "page.php?id=".$pag['page_id'] : "page.php?al=".$pag['page_alias'];


$catpath = sed_build_catpath($pag['page_cat'], "<a href=\"list.php?c=%1\$s\">%2\$s</a>");
$pag['page_fulltitle'] = $catpath." ".$cfg['separator']." <a href=\"".$pag['page_pageurl']."\">".$pag['page_title']."</a>";
$pag['page_fulltitle'] .= ($pag['page_totaltabs']>1 && !empty($pag['page_tabtitle'][$pag['page_tab']-1])) ? " (".$pag['page_tabtitle'][$pag['page_tab']-1].")" : '';


$item_code = 'p'.$pag['page_id'];

list($comments_link, $comments_display, $comments_count) = sed_build_comments($item_code, $pag['page_pageurl'], $comments);


$sys['sublocation'] = $sed_cat[$c]['title'];
$out['subtitle'] = $pag['page_title'];

/* === Hook === */
$extp = sed_getextplugins('page.main');
if (is_array($extp))
{ foreach($extp as $k => $pl) { include('plugins/'.$pl['pl_code'].'/'.$pl['pl_file'].'.php'); } }
/* ===== */


$t = new XTemplate("skins/".$skin."/page.print.tpl");

$t->assign(array(
"PAGE_ID" => $pag['page_id'],
"PAGE_STATE" => $pag['page_state'],
"PAGE_EXECUTE" => $pag['page_execute'],
"PAGE_TITLE" => $pag['page_fulltitle'],
"PAGE_TITLEURL" => $cfg['mainurl']."/page.php?id=".$id,
"PAGE_SHORTTITLE" => $pag['page_title'],
"PAGE_CAT" => $pag['page_cat'],
"PAGE_CATTITLE" => $sed_cat[$pag['page_cat']]['title'],
"PAGE_CATPATH" => $catpath,
"PAGE_CATDESC" => $sed_cat[$pag['page_cat']]['desc'],
"PAGE_CATICON" => $sed_cat[$pag['page_cat']]['icon'],
"PAGE_KEY" => $pag['page_key'],
"PAGE_EXTRA1" => $pag['page_extra1'],
"PAGE_EXTRA2" => $pag['page_extra2'],
"PAGE_EXTRA3" => $pag['page_extra3'],
"PAGE_EXTRA4" => $pag['page_extra4'],
"PAGE_EXTRA5" => $pag['page_extra5'],
"PAGE_DESC" => $pag['page_desc'],
"PAGE_AUTHOR" => $pag['page_author'],
"PAGE_OWNER" => sed_build_user($pag['page_ownerid'], sed_cc($pag['user_name'])),
"PAGE_AVATAR" => sed_build_userimage($pag['user_avatar']),
"PAGE_DATE" => $pag['page_date'],
"PAGE_BEGIN" => $pag['page_begin'],
"PAGE_EXPIRE" => $pag['page_expire'],
"PAGE_COMMENTS" => $comments_link,
));

if($pag['page_totaltabs']>1)
{
$t->assign(array(
"PAGE_MULTI_TABNAV" => $pag['page_tabnav'],
"PAGE_MULTI_TABTITLES" => $pag['page_tabtitles'],
"PAGE_MULTI_CURTAB" => $pag['page_tab'],
"PAGE_MULTI_MAXTAB" => $pag['page_totaltabs']
));
$t->parse("MAIN.PAGE_MULTI");
}

if ($usr['isadmin'])
{
$t-> assign(array(
"PAGE_ADMIN_COUNT" => $pag['page_count'],
"PAGE_ADMIN_UNVALIDATE" => "<a href=\"admin.php?m=page&amp;s=queue&amp;a=unvalidate&amp;id=".$pag['page_id']."&amp;".sed_xg()."\">".$L['Putinvalidationqueue']."</a>",
"PAGE_ADMIN_EDIT" => "<a href=\"page.php?m=edit&amp;id=".$pag['page_id']."&amp;r=list\">".$L['Edit']."</a>"
));

$t->parse("MAIN.PAGE_ADMIN");
}

switch($pag['page_type'])
{
case '1':
$t->assign("PAGE_TEXT", $pag['page_text']);
break;

case '2':

if ($cfg['allowphp_pages'] && $cfg['allowphp_override'])
{
ob_start();
eval($pag['page_text']);
$t->assign("PAGE_TEXT", ob_get_clean());
}
       else
{
$t->assign("PAGE_TEXT", "The PHP mode is disabled for pages.<br />Please see the administration panel, then \"Configuration\", then \"Parsers\".");
}
break;

default:
$t->assign("PAGE_TEXT",sed_parse(sed_cc($pag['page_text']), $cfg['parsebbcodepages'], $cfg['parsesmiliespages'], 1));
break;
}

if($pag['page_file'])
{
if (!empty($pag['page_url']))
{
$dotpos = strrpos($pag['page_url'],".")+1;
$pag['page_fileicon'] = "system/img/pfs/".strtolower(substr($pag['page_url'], $dotpos, 5)).".gif";
if (!file_exists($pag['page_fileicon']))
{ $pag['page_fileicon'] = "system/img/admin/page.gif"; }
$pag['page_fileicon'] = "<img src=\"".$pag['page_fileicon']."\" alt=\"\">";
}
else
{ $pag['page_fileicon'] = ''; }

$t->assign(array(
"PAGE_FILE_URL" => "page.php?id=".$pag['page_id']."&amp;a=dl",
"PAGE_FILE_SIZE" => $pag['page_size'],
"PAGE_FILE_COUNT" => $pag['page_filecount'],
"PAGE_FILE_ICON" => $pag['page_fileicon']
));
$t->parse("MAIN.PAGE_FILE");
}

$t->assign(array (
"HEADER_TITLE" => $cfg['maintitle']." ".$cfg['separator']." ".$pag['page_title']." :: ".$L['plu_title'],
));

$t->parse("MAIN");
$t->out("MAIN");






?>

################################################
# Discovered By : Hassan Shakeri 
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir
#######################################################

Copyright ©2017 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.