Hey there. Has anyone else run into this? I’m trying to exploit the IDOR to change the administrator password. When I submit the request to /reset.php I get access denied. When I change the verb I get missing parameters. I’m including headers Content-Type:application/x-www-form-urlencoded and PHPSESSID:SESS_ID. I’m also including parameters uid, token, password, username, full_name, and company. What other parameters could I be missing?
Also: (Not sure if this is how it’s supposed to be, but the button on the page itself is broken so it doesn’t send any requests from the browser. I’m having to recreate everything using curl using the info from settings.php)