Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-25045 Home Owners Collection Management System — Use of Hard-coded Credentials in Source Code Leads to Admin Panel Access #6

Open
VivekPanday12 opened this issue Feb 9, 2022 · 0 comments

Comments

@VivekPanday12
Copy link
Owner

VivekPanday12 commented Feb 9, 2022

CVE-2022-25045 Exploit Title: Home Owners Collection Management System — Use of Hard-coded Credentials in Source Code Leads to Admin Panel Access

Exploit Author: VIVEK PANDAY

Vendor Homepage: https://www.sourcecodester.com/

Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html

Tested on Windows10

Linkedln Contact: https://www.linkedin.com/in/vivek-panday-796768149

Hardcoded Credentials:

Hardcoded Passwords, also often referred to as Embedded Credentials, are plain text passwords or other secrets in source code. Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords and other secrets (SSH Keys, DevOps secrets, etc.) into the source code. Default, hardcoded passwords may be used across many of the same devices, applications, systems, which helps simplify set up at scale, but at the same time, poses a considerable cybersecurity risk.

[Attack Vectors]

An attacker can gain admin panel access using default credentials and do malicious activities

Proof Of Concept

1 Download source code from https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html

2 Now unzip it and go to the Database folder here we can see one SQL file.

3 Now open that file using Notepad and there we can see admin credentials. but the password is encrypted .from pattern I identified that this is MD5 hash. so we can easily decrypt using crackstation.net or any hash cracker tools like Hashcat, John the ripper.

@VivekPanday12 VivekPanday12 changed the title Home Owners Collection Management System — Use of Hard-coded Credentials in Source Code Leads to Admin Panel Access CVE-2022-25045 Home Owners Collection Management System — Use of Hard-coded Credentials in Source Code Leads to Admin Panel Access May 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant