# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # <!--# Exploit Title: Matrimonial Script 2.7 - Admin panel Authentication bypass# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer# Dork: N/A# Date: 27.08.2017# Vendor Homepage: http://www.scubez.net/# Software Link: http://www.mscript.in/# Version: 2.7# Category: Webapps# Tested on: windows 7 / mozila firefox # supporting tools for testing : No-Redirect Add-on in firefox#--!># ========================================================### admin panel Authentication bypass # # Description : An Attackers are able to completely compromise the web application built upon# Matrimonial Script as they can gain access to the admin panel andmanage the website as an admin without# prior authentication!# # Proof of Concept : - # Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php# Step 2: Access http://example.com/path/admin/index.php# # # Risk : Unauthenticated attackers are able to gain full access to the administrator panel# and thus have total control over the web application, including content change,add admin user .. etc##### ========================================================# [+] Disclaimer## Permission is hereby granted for the redistribution of this advisory,# provided that it is not altered except by reformatting it, and that due# credit is given. Permission is explicitly given for insertion in# vulnerability databases and similar, provided that due credit is given to# the author. The author is not responsible for any misuse of the information contained # herein and prohibits any malicious use of all security related information# or exploits by the author or elsewhere.### # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
