Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-45008 PoC — Plesk Cms 访问控制错误漏洞

Source
https://github.com/AS4mir/CVE-2021-45008
Associated Vulnerability
Title:Plesk Cms 访问控制错误漏洞 (CVE-2021-45008)
Description:Plesk Cms是瑞士的一个 WebOps 托管平台。用于运行、自动化和发展应用程序、网站和托管业务。 Plesk CMS 中存在访问控制错误漏洞,该漏洞源于产品未对用户身份进行有效限制。攻击者可通过该漏洞升级至管理员权限。以下产品及版本受到影响:Plesk CMS 18.0.37 版本。
Readme
# CVE-2021-45008

Privilege Escalation from user to admin


Affected product and version: Plesk Obsidian 18.0.37


Severity: Critical


Impact: Gain high privilege from user to admin and access critical information


Description: insecure permissions vulnerability that allows unprivilege user to get admin rights.



Steps to reproduce:

1.	Login with user account with low roles
2.	Capture the request with burp

![image](https://user-images.githubusercontent.com/65978029/154923387-398f42ea-a159-4bd1-b53e-59de6b0e6ee5.png)

3.	Will note that the Super admin flag parameter is false
4.	Forward the request to login
 
 ![image](https://user-images.githubusercontent.com/65978029/154923422-2b022a02-9562-4edc-8844-fab6a4607241.png)


5.	Now logout and enter credentials to login again and capture the request
6.	Change the value of Super admin flag parameter from false to true and forward the request
![image](https://user-images.githubusercontent.com/65978029/154923463-a5b6479e-635b-496f-9c9e-5dc5555d49b1.png)

7.	Will see more information like bank account and other info
 
![image](https://user-images.githubusercontent.com/65978029/154923523-34823f79-7fd0-47dc-8d91-70a88f12464b.png)
File Snapshot

 [4.0K]  /data/pocs/ad6c6620f9e96ebd996aec9a9f7021cd9bf3b4e6
└── [1.2K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.