POC详情: bc61d08b170e0245e24cf4400755c29c4ac2e7a0

来源
关联漏洞
标题: CodeAstro Internet Banking System 跨站请求伪造漏洞 (CVE-2024-56924)
描述:CodeAstro Internet Banking System是CodeAstro公司的一个PHP网上银行系统。 CodeAstro Internet Banking System 2.0.0版本存在安全漏洞。攻击者利用该漏洞可以在管理页面 (pages_account) 上执行任意 JavaScript,从而更改帐户设置或窃取敏感用户信息。
介绍
# CVE-2024-56924

# Vulnerability Description
<h5>A Cross-Site Request Forgery (CSRF) vulnerability exists in the code astro Internet Banking System version 2.0.0, which allows remote attackers to perform unauthorized actions on behalf of authenticated users, such as administrators, without their knowledge. By crafting a malicious HTML page, an attacker can trick an authenticated user (such as an admin) into submitting a request to modify sensitive account details (e.g., name, email) on the target system. This vulnerability arises due to the lack of CSRF protection on the account modification page (e.g., pages_account.php), allowing an attacker to bypass security mechanisms and execute unauthorized actions on the user's behalf.</h5>

# Versions Affected
<h5>2.0.0</h5>

# Researcher
<h5>Pratheep M</h5>

# Proof Of Concept

<h3>STEP BY STEP PROCEDURE</h3>
<h5>I have added the video POC for your reference below.</h5>

<h5>STEP 1: Click on the Admin Portal and log in using the default credentials.</h5>
<h5>STEP 2: Navigate to the Accounts section and use Burp Suite to intercept the request.</h5>
<h5>STEP 3: Click the Update button and capture the request. Then, right-click on the panel, go to Engagement Tools → Generate CSRF PoC.</h5>
<h5>STEP 4: Modify the request to update the name and email fields, and click Test in Browser.</h5>
<h5>STEP 5: Paste the PoC into the browser, and you will observe that the name and email have been successfully changed.</h5>

# Video POC
<h5>Releasing soon.</h5>
<p><img align="center" alt="poc" src="https://github.com/ipratheep/CVE-2024-56924/blob/main/poc.gif" width="700" height="400"></p>
文件快照

[4.0K] /data/pocs/bc61d08b170e0245e24cf4400755c29c4ac2e7a0 └── [1.6K] README.md 0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。