WEBY 1.2.5 Cross Site Request Forgery – Torchsec
| # Title : WEBY v.1.2.5 CSRF Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.1(32-bit) |
| # Vendor : https://ทําเว็บหาดใหญ่.com |
| # Dork : |
====================================================================================================================================
poc :
The infected file is the /user.php
Inside the folder /admin/user/
Line 46 we note that it used the variable (_GET $).
When using method="get" in HTML forms, all names and values within the tag will appear on the browser's URL.
Remark :
Use this method when sending important data such as a password or other sensitive information.
A bookmark can be used to mark the page, which can be useful in some cases.
The method you get is suitable when sending large amounts of data.
There are two properties that the
- action property: Contains the link to the page you will go to when you click the submit button.
- method: Defines how to send the data entered in the form, and it has two methods, GET and POST.
This data is usually sent to the host (Server) where it is stored.
This data is processed using programming languages that run on the host such as PHP
So the form consists of a set of fields that work together to accomplish a specific function.
For example, the login form on almost all sites consists of three fields:
Name or email field. <“input type="text> or <"input type="email>".
The password input field <“input type=”password> .
Submit button <“input value="submit" type="submit>.
The three fields must be present within one form <“form action="/?Action=add” method=”POST> and so you can build any other form.
We go to line 95
property method specifies how the data entered in the form is sent, the HTTP method used to send the data (GET or POST) .
property action specifies the action that will occur when the user clicks the submit button.
The action that takes place is to send the data entered in the form to the same file on the host (Server),
Line 80 uses the $strSQL variable to query the database.
$strSQL .="('".$_POST["user"]."','".$_POST["pass"]."','".$_POST["name"]."','".$_POST["tel"]."','".$_POST["email"]."','".$_POST["address"]."','".$_FILES["filUpload"]["name"]."') ";
[+] Dorking İn Google Or Other Search Enggine.
[+] Use Payload : /admin/user/user.php?Action=plus <=== add new admin
[+] Use Payload : /admin/user/user.php?Action=show <=== show new admin
[+] http://127.0.0.1/WEBY/admin/user/user.php?Action=plus
[+] Copy the code below and paste it into an HTML file.
[+] Go to the line 46.
[+] Set the target site link Save changes and apply .
Greetings to :===================================================================================
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|
==================================================================================================
Gloss