CVE-2021-46075 : A basic privilege escalation (+ XAMPP quick tutorial on Linux)
Welcome to this new tutorial to experiment with a web exploit this time.
In this video, we will see how to reproduce an exploit that allows a user to perform CRUD (Create-Read-Update-Delete) operations that they should not be able to do.
This tutorial was made on a Vagrant virtual machine hosted in my web browser. It can be reproduced on Windows, Linux and MacOS since we will use xampp from apachefriends, which is available on every distribution.
Here are the steps covered in the video :
Xampp is a simple tool to host web servers on your computer to test your projects. We will use it in this tutorial to test the vulnerable application.
Download xampp on https://www.apachefriends.org/fr/index.html
Install it :
chmod 755 xampp-linux-(your-version)-installer.run
sudo ./xampp-linux-(your-version)-installer.run
Accept XAMPP developer files, and proceed with the installation (can take some time)
Check that xampp (for linux it is lampp in my case) is correctly installed :
cd
cd /opt/lampp/
Now there can be a problem if the software does not recognize your kernel version, in this case it will assume that the version is 2.2.5, which isn't in most of the cases. So you will have to edit the /opt/lampp/lampp script.
First check your own kernel version :
rpm -q kernel
Your kernel version is the 3 numbers after "kernel-". Now edit the script :
cd /opt/lampp
sudo chmod 777 lampp
vi lampp
The line to change should be in the 400s. In "export LD_ASSUME_KERNEL=2.2.5", change 2.2.5 with your kernel version (3.10.0 for me).
You can now start xampp !
sudo ./lampp start
Lets download the vulnerable app to test :
https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
/opt/lampp/htdocs is the directory where you put the pages of your application. It has restricted permissions by default. If you want to be able to add new pages, do :
sudo chmod 777 htdocs
Now unzip the file you downloaded which contains the source code of the app. You will get a directory that you should now be able to copy to the htdocs directory.
The app works also with a database that has to be configured. Open a new web browser tab and type : localhost/phpmyadmin
On this webpage you have a main menu, on which you have to click "databases". Create a new database called "vehicle_service_db", it should say that there are currently no tables in the database you just created. Click on "import" to import the app's database. Browse to the app files that you downloaded previously and find the "database" directory. Inside, select the vehicle_service_db.sql file. Now click "go" and the database will be imported in phpmyadmin.
The app is now operational !
Now, in one web browser (lets say firefox), type "localhost/vehicle_service/admin" and log in with admin/admin123 as the username/password. This is the admin's dashboard. Go to the user list and create a new one with staff privileges. Save that user by clicking "update".
In a second web browser (lets say chrome), type also "localhost/vehicle_service/admin" and log in with the staff credentials of the user you just made. That user has less privileges than the admin and their dashboard has less elements. They should not be able to create new users, let alone new admins.
Go back to the first web browser (firefox) and do as if you wanted to create a new user. You are redirected to this link :
http://localhost/vehicle_service/admin/?page=user/manage_user
You dont have to create a user but copy the link.
Go again in the 2nd web browser (chrome) and paste the link you copied, that should be reserved to the admins only. It lets you create a new user, with admin privileges, even if you still are only a staff user! Save the created user in the 2nd web browser (chrome) and reload the 1st web browser (firefox) : the new user appears!
This is a danger in case the admin did plan the staff members to not have admin privileges. The user with an admin account can perform CRUD (Create-Read-Update-Delete) operations on the app.
---------------------------
Sources & links :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46075
https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-Privilege-Escalation-Leads-to-CRUD-Operations
https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
Что делает видео по-настоящему запоминающимся? Наверное, та самая атмосфера, которая заставляет забыть о времени. Когда вы заходите на RUVIDEO, чтобы посмотреть онлайн «CVE-2021-46075 : A basic privilege escalation (+ XAMPP quick tutorial on Linux)», вы рассчитываете на нечто большее, чем просто загрузку плеера. И мы это понимаем. Контент такого уровня заслуживает того, чтобы его смотрели в HD 1080, без дрожания картинки и бесконечного буферизации.
Честно говоря, Rutube сегодня — это кладезь уникальных находок, которые часто теряются в общем шуме. Мы же вытаскиваем на поверхность самое интересное. Будь то динамичный экшн, глубокий разбор темы от любимого автора или просто уютное видео для настроения — всё это доступно здесь бесплатно и без лишних формальностей. Никаких «заполните анкету, чтобы продолжить». Только вы, ваш экран и качественный поток.
Если вас зацепило это видео, не забудьте взглянуть на похожие материалы в блоке справа. Мы откалибровали наши алгоритмы так, чтобы они подбирали контент не просто «по тегам», а по настроению и смыслу. Ведь в конечном итоге, онлайн-кинотеатр — это не склад файлов, а место, где каждый вечер можно найти свою историю. Приятного вам отдыха на RUVIDEO!
Видео взято из открытых источников Rutube. Если вы правообладатель, обратитесь к первоисточнику.