CVE-2018-3783 PoC — flintcms 权限许可和访问控制问题漏洞

Source

Associated Vulnerability

Description

Blind noSQL injection case study lab based on CVE-2018-3783

Readme

# nosqli-flintcms

Blind noSQL injection case study lab based on CVE-2018-3783 (privilege escalation on flintcms 1.1.9).

The vulnerability was originally discovered by Benoit Côté-Jodoin. You can read original report on [HackerOne](https://hackerone.com/reports/386807).

## Prerequisites

```
docker-compose
```

**Limitation**: We removed `sendEmail` function so that the server cannot send an email. However, it can still generate a token when password is reset.

## Lab Setup

1. The environment variables are in `docker-compose.yml` you can change database's credential here.
2. Run `docker-compose up`, wait until the containers are built and running properly.
3. Go to `localhost:4000` you should see a welcome page. Then visit `localhost:4000/admin/install`, enter fake email username and password.
4. Let's hack!

Don't forget to run `docker-compose down` once finished hacking.

## How it works?

Coming soon.

File Snapshot

 [4.0K]  /data/pocs/8bef776119f6a6043a8f75074e757a117c6add0e
├── [ 848]  docker-compose.yml
├── [1.3K]  exploit.py
├── [4.0K]  flintapp
│   ├── [ 373]  Dockerfile
│   ├── [ 995]  index.js
│   ├── [ 355]  package.json
│   ├── [340K]  package-lock.json
│   ├── [ 513]  patchSendEmail.js
│   ├── [4.0K]  public
│   │   └── [139K]  main.css
│   ├── [4.0K]  scss
│   │   └── [  48]  main.scss
│   └── [4.0K]  templates
│       └── [1.4K]  homepage.njk
└── [ 922]  README.md

4 directories, 11 files

Remarks