Share
## https://sploitus.com/exploit?id=30299F59-AE61-5991-89ED-6AFF5C611A06
# PoC: CVE-2025-2304 - Camaleon CMS Privilege Escalation

## Technical Overview

This repository contains a Functional Proof of Concept (PoC) for a **Mass Assignment** vulnerability in **Camaleon CMS** (versions prior to 2.8.1). The vulnerability resides in the `updated_ajax` endpoint of the User Management module, where the application fails to strictly filter sensitive attributes within the `password` parameter hash.

By injecting a `role` attribute into the `password` scope during a profile update, a low-privileged user can overwrite their own permissions to gain `admin` status.

### Vulnerability Mechanism

The vulnerability is rooted in a misconfiguration of **Strong Parameters** in the Ruby on Rails controller. When the application processes the AJAX update request, it improperly allows the `role` key to be merged into the user object's attributes:

* **Vulnerable Endpoint:** `/admin/users/:id/updated_ajax`
* **Vulnerable Parameter Scope:** `password[...]`
* **Injection Vector:** `password[role]=admin`

---

## Technical Features

* **Session Persistence:** Utilizes `requests.Session` to maintain state across the authentication and exploitation phases.
* **Automated CSRF Synchronization:** Scrapes the `authenticity_token` from the DOM and synchronizes it with the `X-CSRF-Token` header, satisfying Rails' AJAX security requirements.
* **Dynamic ID Discovery:** Parses the `/admin/profile/edit` page to dynamically resolve the `user[id]` required for the RESTful endpoint.
* **HTTP Method Emulation:** Implements the `_method=patch` override to satisfy the application's routing requirements for resource updates via `POST`.

---

## Requirements

* Python 3.10+
* `requests`
* `beautifulsoup4`

Install dependencies:

```bash
pip install -r requirements.txt
```

---

## Usage

```bash
python3 main.py -u  --user  --password 
```

### Exploit Execution Flow

1. **Auth (POST `/admin/login`):** Establishes an authenticated session using `user[username]`.
2. **Recon (GET `/admin/profile/edit`):** Extracts the unique `user[id]` and a fresh `authenticity_token`.
3. **Escalation (PATCH-over-POST `/admin/users/:id/updated_ajax`):** Dispatches the injection payload.

---

## Payload Specification

The exploit utilizes an `application/x-www-form-urlencoded` payload structured as follows:

| Parameter | Value | Description |
| --- | --- | --- |
| `_method` | `patch` | Rails REST method override |
| `authenticity_token` | `[Captured]` | Synchronized CSRF protection |
| `password[password]` | `[NewPassword]` | Required for password-scope validation |
| `password[role]` | `admin` | **Malicious Injection** |

---

## Ethical Disclosure

This tool is for educational purposes and authorized penetration testing only. Unauthorized access to production systems is illegal.