CVE-2022-44411
2022年11月26日 更新

Exploit Title: Web Based Quiz System v1.0 is vulnerable to brute force attack

Software Link: https://www.sourcecodester.com/download-code?nid=14727&title=Web+Based+Quiz+System+in+PHP%2FMySQLi+with+Full+Source+Code

Version: v1.0

Describe:Web Based Quiz System v1.0 transmits user passwords in plaintext during the authentication process, allowing attackers to obtain users' passwords via a bruteforce attack.


Steps to reproduce:

Try to login in the input box.

Capture the packet and find that the password is plaintext transmission, and try to conduct a violent attack.

Judge whether it is the correct password according to different return values.

Patch recommendation:

Add ratelimit protecion on POST login endpoints/parameters