Prediction Football 2.51 XRF / CSRF

ID 1337DAY-ID-16676
Type zdt
Reporter Smith Falcon
Modified 2011-08-14T00:00:00


Exploit for php platform in category web applications

                                            # Exploit Title: [title]
# Google Dork: [if relevant]  intext:"Prediction football 2.51"
# Date: 08/08/2011
# Author: Smith Falcon
# Software Link:
# Version: 2.51
# Tested on: Linux
First create a username and go to Account Profile
The POST variable in index.php?cmd=changepass is vulnerable to CSRF
Grab Header Information with HTTP Live headers and replay the POST VARIABLE
&OLDPWD=anything&USERID=[id of user u want pwd
REPLAY with new password of the userid and logout!
Now you can login with that desired user and password!

# [2018-04-09]  #