# Title: School ERP System 1.0 - Cross Site Request Forgery (Add Admin) # Date: 2020-01-31 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://sourceforge.net/projects/school-erp-ultimate/files/ # Software Link: https://sourceforge.net/projects/school-erp-ultimate/files/ # Version ERP-Ultimate # Tested on Windows 10/Kali Rolling # The School ERP Ultimate web application is vulnerable to Cross Site Request Forgery # that leads to admin account creation and arbitrary user deletion. # Proof of Concept for the Admin Account Creation:
Proof of Concept for the arbitrary user deletion: