ENTAB ERP 1.0 - Username PII leak

Author: Deb Prasad Banerjee
type: webapps
platform: asp
port: 
date_added: 2023-04-08 
date_updated: 2023-04-08 
verified: 0 
codes: CVE-2022-30076 
tags: 
aliases:  
screenshot_url:  
application_url: 

Exploit Title: ENTAB ERP 1.0 - Username PII leak
Date: 17.05.2022
Exploit Author: Deb Prasad Banerjee
Vendor Homepage: https://www.entab.in
Version: Entab ERP 1.0
Tested on: Windows IIS
CVE: CVE-2022-30076

Vulnerability Name: Broken Access control via Rate Limits

Description:
In the entab software in fapscampuscare.in, there is a login portal with a
UserId field. An authenticated user would enter and get their name as well
as other services. However, there should be a rate limit in place, which is
not present. As a result, a hacker could bypass the system and obtain other
usernames via broken access control. This enables a threat actor to
obain the complete full name and user ID of the person.

POC:
1. Go to fapscampuscare.in or any entab hosted software and find the entab
software.
2. Use a proxy to intercept the request.
3. Since it's a student login, try a random UserId (e.g., s11111).
4. Intercept the request using Burp Suite and send it to the Intruder.
5. Select payloads from number 100000-20000, and turn off URL encoding on
the UserId parameter.
6. Start the attack and sort by length to obtain the username and full name
of other users.