Hi All,
I am Maloy Roy Orko
Recently in one of my pentest research, I found a Employee Management System application By tutorials-website which is an open source Employee Management System Software to manage users of a company or organization.
Curious to explore its functionalities, I downloaded and set it up in my local system.
After fiddling with the source code, I found that the /admin/update-user.php file is vulnerable to IDOR !
It can lead into:
- - Unauthorized Data Access
- - Data Manipulation
- - Account Takeover
- - Privilege Escalation
- - Denial of Service (DoS)
- - Reputation Damage
- - Regulatory Consequences
The Main Thing Is,If any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too.
Thats why, I am trying to inform everyone about this.
Title of the Vulnerability:
Tutorials-website | Employee Management System(EMS Version-1.0) | IDOR | Admin or Account Takeover via /admin/update-user.php
Vulnerability Class: Insecure Direct Object Reference (IDOR)
Product Name: Employee Management System(EMS Version-1.0)
Vendor: https://github.com/tutorials-website
Vulnerable Product Link: https://github.com/tutorials-website/EMS-MINI-PROJECT
Technical Details & Description:
The application source code is coded in a way which allows : Insecure Direct Object Reference.
Product & Service Introduction:
Employee Management System(EMS Version-1.0)
Observation & Exploitation:
Here,The Vulnerable File Is: /admin/update-user.php
Who will be affected of this IDOR attack?
->The Company! Because Hackers will be able to access and modify admin and employee accounts and see even modify their tasks and their employee verification informations and even their leave verification datas as the hackers can update their account as admin privilege without the interaction of Administrators but by the unauthorized practices!
Lets Exploit 🌠🗝️🔐:
First,Go To /admin/update-user.php
You will see that no administrator access is needed no access this endpoint! We will need the parameter value and data which we wanna update only!
Example:
http://192.168.0.100:8080/ems2/admin/delete-user.php?id=9
Now! Place All The Requests to server with the headers of those screenshots according to your Target!
The important modification field:
user_id=9&inputName=Sandeep&email=sandeep%40gmail.com&password=&depart=Admin&role=employee
Here,I will change the user id with my own desired account to change my User Role!
From User to Administrator
Here,I want to make Sandeep Account From user to Administrator Privileged!
His user id is :9
I will send a request to server:
Like this:
user_id=9&inputName=Sandeep&email=sandeep%40gmail.com&password=&depart=Admin&role=admin
As you can see that,Sandeep is an Administrator Now! Privilege has been escalated!
Note: We can downgrade someone's Account role too!
From Admin to Employee
Even we can takeover someone's account by changing the passwords like this:
user_id=9&inputName=Sandeep&email=sandeep%40gmail.com&password=moloyroy&depart=Admin&role=admin
When we will hit this request,the account password of Sandeep which was escalated as Admin role by us!
His account password will be:
moloyroy
Thus we can do privilege escalation and account takeover!
Conclusion :-
The main aim of this article is to show that if any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too. But I also hope that it helps to give you ideas of how combining attacks can make them much more potent.