Skip to content

plsanu/Vehicle-Service-Management-System-Multiple-Cross-Site-Request-Forgery-CSRF-Leads-to-XSS

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2021-46080

Exploit Title: Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)

Exploit Author: P.L.Sanu

CVE: CVE-2021-46080

CVSS: 4.8 MEDIUM

References:

Description:

A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.

1. Vehicle Service Management System - 'Mechanic List' (/admin/?page=mechanics)

Exploit:

  1. Visit the admin panel http://localhost/vehicle_service/admin
  2. Create two admin accounts.
  3. Login the Admin-1 account in Browser A (Chrome)
  4. Login the Admin-2 account in Browser B (Firefox)
  5. In Admin-1 account(Chrome) navigate to the Mechanic List section and click on Create New button.
  6. Inject the below payload in Full Name input field.

Payload:

 "><script>alert(document.cookie)</script>
  1. Click on Save button.
  2. Capture the request in burpsuite and generate the CSRF Html File.
  3. Save the CSRF Html file For Ex: CSRF.html
  4. In Browser B (Firefox) browse the CSRF.html file.
  5. Navigate to the Mechanic List section in Browser B (Firefox).
  6. Malicious javascript code triggered.

2. Vehicle Service Management System - 'Service Requests' (/admin/?page=service_requests)

Exploit:

  1. Visit the admin panel http://localhost/vehicle_service/admin
  2. Create two admin accounts.
  3. Login the Admin-1 account in Browser A (Chrome)
  4. Login the Admin-2 account in Browser B (Firefox)
  5. In Admin-1 account(Chrome) navigate to the Service Requests section and click on Create New button.
  6. Inject the below payload in Owner Contact input field.

Payload:

 "><script>alert(document.cookie)</script>
  1. Click on Save Request button.
  2. Capture the request in burpsuite and generate the CSRF Html File.
  3. Save the CSRF Html file For Ex: CSRF.html
  4. In Browser B (Firefox) browse the CSRF.html file.
  5. Navigate to the Service Requests section in Browser B (Firefox).
  6. Choose the newly created Service Requests and click on Action under View.
  7. Malicious javascript code triggered.

3. Vehicle Service Management System - 'Category List' (/admin/?page=maintenance/category)

Exploit:

  1. Visit the admin panel http://localhost/vehicle_service/admin
  2. Create two admin accounts.
  3. Login the Admin-1 account in Browser A (Chrome)
  4. Login the Admin-2 account in Browser B (Firefox)
  5. In Admin-1 account(Chrome) navigate to the Category List section and click on Create New button.
  6. Inject the below payload in Category Name input field.

Payload:

 "><script>alert(document.cookie)</script>
  1. Click on Save button.
  2. Capture the request in burpsuite and generate the CSRF Html File.
  3. Save the CSRF Html file For Ex: CSRF.html
  4. In Browser B (Firefox) browse the CSRF.html file.
  5. Navigate to the Category List section in Browser B (Firefox).
  6. Malicious javascript code triggered.

4. Vehicle Service Management System - 'Service List' (/admin/?page=maintenance/services)

Exploit:

  1. Visit the admin panel http://localhost/vehicle_service/admin
  2. Create two admin accounts.
  3. Login the Admin-1 account in Browser A (Chrome)
  4. Login the Admin-2 account in Browser B (Firefox)
  5. In Admin-1 account(Chrome) navigate to the Service List section and click on Create New button.
  6. Inject the below payload in Service Name input field.

Payload:

 "><script>alert(document.cookie)</script>
  1. Click on Save button.
  2. Capture the request in burpsuite and generate the CSRF Html File.
  3. Save the CSRF Html file For Ex: CSRF.html
  4. In Browser B (Firefox) browse the CSRF.html file.
  5. Navigate to the Service List section in Browser B (Firefox).
  6. Malicious javascript code triggered.

5. Vehicle Service Management System - 'User List' (/admin/?page=user/list)

Exploit:

  1. Visit the admin panel http://localhost/vehicle_service/admin
  2. Create two admin accounts.
  3. Login the Admin-1 account in Browser A (Chrome)
  4. Login the Admin-2 account in Browser B (Firefox)
  5. In Admin-1 account(Chrome) navigate to the User List section and click on Create New button.
  6. Inject the below payload in First Name input field.

Payload:

 "><script>alert(document.cookie)</script>
  1. Click on Save button.
  2. Capture the request in burpsuite and generate the CSRF Html File.
  3. Save the CSRF Html file For Ex: CSRF.html
  4. In Browser B (Firefox) browse the CSRF.html file.
  5. Navigate to the User List section in Browser B (Firefox).
  6. Malicious javascript code triggered.

6. Vehicle Service Management System - 'Settings' (/admin/?page=system_info)

Exploit:

  1. Visit the admin panel http://localhost/vehicle_service/admin
  2. Create two admin accounts.
  3. Login the Admin-1 account in Browser A (Chrome)
  4. Login the Admin-2 account in Browser B (Firefox)
  5. In Admin-1 account(Chrome) navigate to the Settings section.
  6. Inject the below payload in System Name input field.

Payload:

 "><script>alert(document.cookie)</script>
  1. Click on Update button.
  2. Capture the request in burpsuite and generate the CSRF Html File.
  3. Save the CSRF Html file For Ex: CSRF.html
  4. In Browser B (Firefox) browse the CSRF.html file.
  5. Navigate to the Settings section in Browser B (Firefox).
  6. Malicious javascript code triggered.

Impact:

Cross-Site Request Forgery vulnerability exists in Multiple endpoints it leads to Stored Cross Site Scripting Vulnerability.

Mitigation:

It is recommended to implement the following:

  • Unpredictable with high entropy, as for session tokens in general.
  • Tied to the user's session.
  • Strictly validated in every case before the relevant action is executed.

About

CVE-2021-46080 - A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published